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Opinion: Microsoft's future is up to users. PAGE 28 
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Security risks come in many forms, from disgruntled 
employees to passwords left on Post-it Notes in plain view. 
This In Depth report — the first in a monthly series on 


crucial IT topics — identifies the 
dangers you might overlook, the 
technologies that could protect 
your business and the kind of 
people you'll need to pull your 
company out of a 
tough situation. 


A FEW HIGHLIGHTS 


® Cyberattacks by insiders 
@ The top 10 security mistakes 


@ A deluge of false alarms from 
intrusion-detection systems 


@ Computer forensics that in- 
volve more than just hackers 


See In Depth, pages 33-60. 


GET MORE IN DEPTH INFO: Dig into our huge collection of IT security articles, research links and white papers at www.computerworld.com/ 
indepthsecurity. ® Congress threatens action on privacy and security. ® Legal changes may help protect corporate secrets. ® ls XML a security risk or 
a security tool? @ Traps you can set for intruders. ® Will P3P become the new standard for privacy? ® How can you make PKI practical? 


PRIVACY ACT COSTLY IN FINANCE SECTOR 


Firms spend millions | Modernization Act last week, 
to recast databases companies were still scram- 
—— bling to create automated sys- 

BY LUCAS MEARIAN 
Even as federal regulators be- | 
gan enforcing the massive re- | ulations. 
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forms of the Financial Services 


tems to ensure their compli- | 
ance with the new privacy reg- | 


| ing proportions 
Privacy, page 69 | 


Also known as the Gramm- 
Leach-Bliley Act, the legisla- 


tion requires financial firms | 


to let their customers opt out, 
or choose not to let their per- 
sonal information be shared 
with outside companies. 
Financial firms have spent 
more than $400 million compil- 


ing privacy policies and identi- | 


| fying partners and third parties 
| with whom they share data, ac- 


cording to Needham, Mass.- 


| based TowerGroup. The total 
| cost of compliance with the 
| new legislation could swell to 
| three times that figure and 


could skyrocket to Y2k spend- | 


if Congress | 


MICROSOFT CASE 
MAY YIELD CHOICE 


Some apps could be 
separated from OS 


BY PATRICK THIBODEAU 
N 
The recent U.S. Court of Ap- 
peals decision in the Microsoft 
antitrust case could 
ultimately give cor- 
porate end users the 
ability to pick and 
choose among some Windows 
applications that the company 
plans to integrate with future 


versions of the operating sys- 
tem, say some legal and indus- 
try analysts. 

“Just think about the extent 
to which future Microsoft 
planning includes writing soft- 
ware code for collaborative ap- 
plications into the Windows 
[operating system] itself,” said 
Herb Hovenkamp, an antitrust 
expert and law professor at the 
University of Iowa in lowa 
City. “I think Microsoft is going 
to have to rethink that 
whole strategy.” 

The case is still un- 
settled, and its ulti- 
mate impact, if any, on Micro- 
soft Corp.’s operating system 

Microsoft, page 69 
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Introducing New Unicenter 


Conventional enterprise management has become nothing more than 
a relic in the world of eBusiness. Why? Because it just doesn’t provide 
what the current marketplace demands — flexibility. That’s why we've 
completely reinvented our approach to enterprise management with new 
Unicenter. This revolutionary range of solutions for managing eBusiness 
infrastructure lets you choose only the components you need, just when 
you need them. But because it’s still Unicenter, you can rest assured 
that individual elements will work together seamlessly. So you can build 
end-to-end infrastructure management solutions for your entire business 


at your own pace. And that’s an idea whose time has come. 
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TRY 30 MINUTES. 


COMPAQ TASKSMART N-SERIES APPLIANCE SERVER 


When it comes to expanding your storage capacity, there’s no room for 
downtime. With Compaq TaskSmart™ NAS appliances, you can get immediate 
relief without having to build a new storage infrastructure. Compaq appliances 
are ready to perform right out of the box (literally 30 minutes) and have the 


flexibility to grow as your business grows. So if losing valuable time for your 


employees and customers just isn’t an option, visit compaqg.com/tasksmart. 


INNOVATIVE PRODUCTS, Call 1-800-AT-COMPAQ for your nearest 


INTEGRATED INTO SOLUTIONS & reseller and mention code “NBX.” 
DELIVERED GLOBALLY Or visit compaq.com/tasksmart. 


mpaq logo are registered trademarks of Compaq Computer Corporation. Inspiration Technology and TaskSmart are trademarks of Compaq 
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NEWS 


6 Eli Lilly reveals e-mail address- 
es on drug reminder list; the ACLU 
complains of privacy violation. 


8 Nasdag to launch order service 
this week, raising volume on a net- 
work that crashed in June. 


10 Threat database targets real 
points of attack, not just vulnera- 
bilities hackers don’t exploit. 


12 CA sues, cuts bonuses to 
resist an executive coup attempt 
aimed at breaking up the company. 


14 Non-IT products phone home, 
using an IBM system with remote 
diagnostics and notification to 
make service faster, more efficient. 


22 Security stocks drop as cor- 
porate spending cuts that hurt the 
tech market finally reach them. 


Opinions | 


Maryfran Johnson 


Pimm Fox 
David Foote 
Fred Wiersema 


Michael Gartenberg 


Seue 


r Career Adviser 


Columnist Fran Quittel answers 
readers’ questions about job oppor- 
tunities and surviving a merger. 
www.computerworld.com/careers 


House Majority Leader 
Attacks HIPAA 


House Majority Leader Dick 
Armey recently criticized parts of 
the HIPAA regulations and their 
impact security and privacy 
issues. Read his full letter to 
Health and Human Resources 
Secretary Tommy Thompson at 
www.computerworld.com/security. 


MOREONLINE For breaking news - updated 


twice daily, at noon and 5 p.m. - visit our Web site. 
www.computerworld.com/latestnews 


CAN 
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33 Risk & Reward 


Sure, e-commerce is risky. But hack- 
ers aren’t the only thing to worry 
about, and firewalls aren’t the only 
way to protect online transactions 
enough to build the Web into a sol- 
id, profitable business medium. 

The first in Computerworld’s new, 
monthly In Depth series examines 
the risks and the rewards of e-com- 
merce, and how to minimize one 
while maximizing the other. 


34 The Enemy Within 


Sometimes the greatest threat 
comes from 
the enemy 
in your of- 
fice, not the 
one at the 
gate. But 
there are 
ways to 
defuse even 
the worst 
potential 
offenders. 


36 The Threat of XML 


XML is so popular and such an obvi- 
ous way to make difficult data con- 
nections that few suspect that it may 
be as dangerous as it is valuable. 
ONLINE: Even so, XML will be- 
come much more secure — if au- 
thentication and certificate proto- 
cols are ever accepted. 


www.computerworld.com/indepthsecurity 


38 Top 10 Security 
Mistakes 
Some precautions aren’t that com- 


plicated, but fixing simple problems 
is harder than you think. 


ILLUSTRATIONS: ANASTASIA VASILAKIS 


Capitol Crunch 


A} i} Dozens of bills are mak- 

ing their way through 

Congress to change the 
way IT handles privacy, spam 

and a raft of other issues. See 
which ones are most likely to 
Pass. www.computerworld.com/ 
indepthsecurity 
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40 Playing 


By Europe’s 
Rules 
The European 
Union just 
signed a treaty 
standardizing 
cybercrime laws 
across the conti- 
nent, and it won't 
take long for U.S. 
companies to 

~ feel its effect. 


ONLINE: Read more about the 
treaty and what Europeans are 
saying about it and the U.S. 
www.computerworld.com/securitylinks 


42 False Alarm 


Intrusion-detection tools have got- 
ten a lot better, but sorting out major 
attacks from false alarms is still a big 
problem. 


ONLINE: Tips to help you decide 
when it makes sense to outsource 
intrusion detection. 


44 Deadly Pursuit 


Not all online crime detection is vir- 
tual. Meet a forensics expert who 
uses computers to track murderers, 
not just computer criminals. 


i 


ONLINE: How to launch a com- 
puter forensics career. 


WWW.COMPUTERWORLD.COM 


Private Investigation? 
Companies that share private IT 
data with the feds risk having it re- 
leased to the public. Some are trying 
to change the Freedom of Informa- 
tion Act to protect IT while still 
cooperating to nail the bad guys. 
www.computerworld.com/ 
indepthsecurity 





48 Unlocking Secure 
Online Commerce 


Public-key networks have been so 
hard to set up that few users have 
bothered. But that may change as 
PKI’s value becomes clearer. 


ONLINE: Research how to build 
a PKI network, and which tools to 
use and why. 
www.computerworld.com/securitylinks 


52 Giving Users 
Back Their Privacy 


The P3P protocol may not make 
Web surfing really private, but it 
can give customers more control 
— and create headaches for you. 


Stats and graphs on how danger- 
ous bad security can be. 


Aiso in Depth. . . 
46 Security Manager's Journal 


Vince turns detective to track 
down users who step over the line. 


54 Joe Auer warns that mistakes 
on security contracts can leave 
end users unprotected — at just 
the wrong time. 


56 Emerging Companies 
Finjan’s software is designed to 
find malicious code, not just pre- 
defined viruses. 


Picking Your Targets 


Even the most activist IT oper- 
ation has to decide where to 
put its attention; here’s a run- 
down of what the government 
is up to that may affect you. 
www.computerworld.com/ 

indeptt it 
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Shell, IBM Ink $100M 
E-Business Apps Deal 


In a cost-cutting bid, The Hague- 
based Royal Dutch/Shell Group 
will set up three worldwide hubs to 
standardize and consolidate its 
global IT applications infrastructure. 
The three data centers, to be locat- 
ed in Houston, The Hague and Kuala 
Lumpur, Malaysia, will provide the 
core infrastructure for Shell's range 
of enterprise resource planning and 
e-commerce applications. Shell 
chose IBM as the prime hardware 
provider for the centers under a 
five-year, $100 million agreement. 
IBM will supply eServer systems, 
enterprise storage servers and 
technical support and services. 


Ditmore Surfaces 
At Bank One 


James Ditmore, former CIO at 
Omaha-based Ameritrade Holding 
Corp., has landed a job as Bank One 
Corp.'s chief technology officer for 
infrastructure and operations. The 
Chicago-based bank announced 
last week that the 41-year-old IT 
veteran will join the company on 
July 16 to oversee service levels for 
systems availability and operations 
and define the company’s technol- 
ogy architecture and standards. 
Ditmore will also be responsible for 
network, enterprise computing and 
desktop/mobile platforms. 


Short Takes 


CHINA NATIONAL COMPUTER 
SOFTWARE AND TECHNOLOGY 
SERVICE CORP. will build a software 
and hardware encryption module for 
MICROSOFT CORP.'S Windows XP 
Professional Chinese edition. . . . 
Schaumburg, Ill.-based MOTOROLA 
INC. has agreed to sell its Multiser- 
vice Networks Division to PLAT- 
INUM EQUITY in Los Angeles. . . . 
RADIOSHACK CORP. in Fort Worth, 
Texas, has agreed to purchase 
Microsoft's 25% minority interest 
in RadioShack.com LLC for $88 
million in cash. The move gives 
RadioShack 100% ownership of 
RadioShack.com. 


NEWS 


Vendor Sues User in 
‘Man Bites Dog’ Case 


Analysts say slow economy may spur more 
cases like that involving CSC and Saks 


BY JULEKHA DASH 
ECHNOLOGY 
sulting firm Com- 


con- 


puter Sciences Corp. 
(CSC) filed a 
lawsuit against re- 


has 


tailer Saks Inc. accusing it of 
misappropriating trade secrets 
and violating the terms of an 
IT services contract signed by 
the two companies early last 
year. 

Analysts described the suit, 
which was filed June 18 in U.S. 
District Court for the Northern 
District of Georgia, as atypical, 
since users are usually the ones 
that initiate litigation against 
when contract dis- 
But such battles 

more common- 
place as both vendors and users 
face growing financial and 
competitive pressure in today’s 


vendors 
putes 
may 


arise. 


become 


slowing economy, according to 
at least one analyst. 

“This is a case of man bites 
dog. It’s an oddity,” said Tom 
Rodenhauser, president of Con- 
sulting Information Services 
LLC in Keene, N.H. “You don’t 
sue [a client] unless you've 
given up forever on them.” 

Neither El Segundo, Calif.- 
based CSC nor Saks, a Birm- 
ingham, Ala.-based company 
that operates Saks Fifth Av- 


See You in Court 


CSC’s lawsuit alleges that: 


> CSC performed an analysis 
of Saks’ contracts with tele- 
com providers, but Saks 
used the information to 
negotiate agreements on 
its own. 

» Saks used improper means 
to acquire confidential 
information from CSC. 

> Saks owes CSC about $1.5 
million plus attorneys’ fees. 


enue and other department 
store chains, would comment 
on the case, though both com- 
panies acknowledged that the 
suit had been filed. 

According to a statement 
CSC filed with the court, Saks 
agreed in January 2000 to let 
the consulting firm take over 
its contract negotiations with 
telecommunications suppliers 
and computer software and 


ACLU Knocks Eli Lilly for 
Divulging E-Mail Addresses 


Site’s prescription 
reminder reveals 
names of recipients 

BY JULEKHA DASH 


Pharmaceutical firm Eli Lilly 
and Co. inadvertently divulged 


| the e-mail addresses of 600 pa- 


tients to one another due to a 


hardware vendors. The move 
was expected to save the retail- 
er about $2 million in annual 
costs, CSC claimed. 
CSC reviewed 


Saks’ tele- 


communications contracts to | 


see what kind of savings the 
retailer could get by purchas- 
ing the services through agree- 


ments the consulting firm has | 
| the economy and IT spend- 


| with the suppliers, the suit 


| the 


computer programming error 


revealed last week. The inci- 
dent sparked an outcry from 
the American Civil 
Union for the breach of priva- 
cy, and analysts noted it’s the 
kind of event that will violate 
pending health care rules. 

The incident occurred when 
the drug maker sent an elec- 
tronic message to its regis- 


Liberties | 


tered Web site users to notify | 
them that the site’s “reminder” | 


feature, which alerts them to 
take their medication, would 
be discontinued due to a re- 
design. Instead of each mes- 
sage being sent individually, 
the system sent one e-mail, 
whose “to” field revealed the 
complete e-mail addresses of 
about 600 patients, according 
to Eli Lilly spokeswoman 


said. But CSC alleged that Saks 
used the confidential infor- 
mation “as bargaining tools in 
[its] own negotiations with 
telecommunication 
providers.” 


service 


Anne Griffin. 
based Eli Lilly makes the anti- 


| depressant drug Prozac and 


other drugs. 


The affected patients were | 


those who had signed up for 


e-mail reminder 


result of a programming error. 

To prevent other such inci- 
dents, Eli Lilly is preparing a 
code audit review and is 
“working on a program that 
would block all outbound 


e-mails with more than one ad- | 


dress,” said Griffin. 

The company is also talking 
to its employees about the im- 
portance of protecting patient 
privacy, she said. 

Analysts said the error vio- 
lates the pending Health Insur- 
ance Portability and Account- 


among other things, stipulates 


| that health care organizations 


| must establish policies and 


procedures to protect patient 
privacy. But the drug maker 
won't face any HIPAA penal- 
ties because organizations 
have until April 2003 to com- 
ply with the rules. 


seeking 


| the 
| specify the amount of dam- 
| ages it’s requesting, the suit 


Indianapolis- | 


service. | 
Griffin described the mistake | 
as an “isolated event” and the | 
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As part of the suit, CSC is 
compensatory and 
punitive damages plus attor- 
neys’ fees from Saks. Although 
consulting firm didn’t 


that Saks owes CSC 
nearly $1.5 million plus interest 
for its services. 

Contract disputes like this 


claims 


| One may become more com- 


monplace, said analyst Alden 
Cushman at Kennedy Informa- 


| tion Inc. in Fitzwilliam, N.H. 


As a result of the dot-com 
collapse and the slowdown in 


ing, some clients may be 
finding ways to save money on 
IT instead of leaving the work 


| to a consulting firm, which 


could result in possible misun- 


| derstandings, Cushman said. D 


E-Mail Error 


Eli Lilly says a programming 
error led to mishap. 

» Patients had signed up for 
e-mail reminders to take a 
prescription drug or for 
other health matters. About 
600 patient addresses were 
identified in a mass e-mail. 


>The ACLU has asked the 
FTC to investigate the error 
for possible consumer pri- 
vacy violations. 


[Se oer oe onan 


et 


The company’s mistake came 


under fire from the New York- 


based ACLU, however. In a let- 
ter, the ACLU asked the Federal 


| Trade Commission (FTC) to in- 


vestigate Eli Lilly for consumer 
privacy violations. 
“If this breach of duty goes 


| unnoticed, it could raise the 
| possibility not only that Eli 


Lilly will continue to injure 
consumers and harm the public 
interest, but that other com- 
panies will be encouraged to 


| engage in similarly unfair and 
| ability Act (HIPAA), which, | 


deceptive practices,” wrote 
Barry Steinhardt, ACLU associ- 
ate director, and Christopher 
Chiu, Internet policy analyst. 

During the next two years, 
health care organizations will 
have to review the way thev 
communicate health informa- 
tion with patients to comply 
with HIPAA. D 
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NEWS 


Mitsubishi to Consolidate 700 Networks Using Provider 


Hopes investment in and move to ANX 
hub will improve, lower cost of service 


BY LEE COPELAND GLADWIN 
Imagine operating seven in- 
dustrial-grade private net- 
works and point-to-point 
bandwidth connections world- 
wide. Multiply that number by 
100, and you will understand 
the IT challenge facing Mit- 
subishi Corp. 

To consolidate its sprawling 
network morass, Tokyo-based 
Mitsubishi this week plans to 
take a 20% equity stake in net- 
working provider ANXeBusi- 
ness Corp. and make ANX< its 
primary networking hub. It’s 
also a deal that analysts and 
users say will fuel a long-await- 
ed expansion of Southfield, 
Mich.-based ANX’s 
into the Pacific Rim. 

“We have a huge EDI [elec- 
tronic data interchange] net- 
work of 700 different net- 
works, and it’s really a 
headache and difficult to man- 
age and to maintain security 
levels across the networks,” 
said Junji Inoue, senior vice 
president of e-commerce at 
Mitsubishi, which posted $124 
billion in revenue last year. In- 
oue said he expects that using 
ANX’s network will both re- 
duce costs and provide better 
data communications between 
its diverse subsidiaries — for 
example, in the petroleum, 
chemical and consumer elec- 
tronics industries — and their 
numerous suppliers. 

Financial terms of the deal 
weren't disclosed. Mitsubishi 
plans to implement ANX at its 
corporate headquarters and its 
650 international subsidiaries 
whenever possible. It will also 
conduct a feasibility study this 
summer on how to market the 
service to its trading partners, 
Inoue said. 

“We're in a good position to 
expand the ANX service to 
other industries other than 
automotive,” said Inoue. 

With bandwidth rates of 1.5M 
bit/sec. and higher, ANX allows 
its customers to exchange com- 
puter-aided design files, en- 


services 


| tion capabilities that 


| and 





crypted and EDI 
transactions to internal facili- 
ties and external suppliers and 


messages 


partners, said Erik Naugle, chief 


technology officer at ANX. 
“ANX is already the de facto 
standard for any company in 
the automotive industry,” said 
Zeus Kerravala, an analyst at 
The Yankee Group in Boston. 
“This cash will help them ex- 


pand globally and will solidify | 


their position as a premier net- 
working company.” 
The Automotive 


Industry | 


Action Group (AIAG), a trade 
association of automakers and 
suppliers, launched ANX in 
1997 to provide a central point 
of connectivity to the major 
automakers and their suppliers 
in the U.S. and Canada. The 
Southfield, Mich.-based orga- 
nization attracted 280 auto- 
motive customers but couldn’t 
fund or manage expansion into 
other vertical industries, Eu- 
rope and Japan. So in De- 
cember 1999, the AIAG sold 
ANX to San Diego-based Sci- 
ence Applications Internation- 
al Corp. to meet its growth 
goals, according to a former 
AIAG official and ANX. 


Since then, ANX has 


Visa Offers Security Spec for 


Banks, retailers 
begin installation 
of payment tech 


BY LUCAS MEARIAN 
| Teaming up with more than 60 


technology vendors, Visa In- 
ternational Inc. has rolled out a 
new technical specification to 
support payment authentica- 
tion services for online credit 
card transactions worldwide. 

Foster City, Calif.-based Visa 
International’s new 3-D Secure 
1.0 specification puts a global 
spin on payment authentica- 
Visa’s 
U.S. operations detailed in 
May. But at least one industry 
analyst criticized Visa’s speci- 
fication, saying that it and oth- 
ers like it used technology that 
was “lying around the shop” 
that it could be a lot 
smarter. 


Front-End Limitations 

The technology lets con- 
sumers buying items online 
authenticate their identities 
with passwords or personal 
identification numbers through 
windows that pop up after 
their credit card numbers are 
entered. 

Cardholders can use tradi- 


tional Visa cards or smart cards 
at the electronic storefront. But 
that’s emart-card 
technology stops — at the front 


where the 
end. Analysts said the system 
could go further by allowing 
card-issuing banks to tie that 
information into relational 
databases that could, for exam- 
ple, add frequent-flier miles 
based on a rewards program to 
the card’s memory. 

“I wish that [Visa and Mas- 
terCard] and American Ex- 
press and Discover would take 
chips seriously and use it for 
the security it offers,” 
Theodore Iacobuzio, an analyst 
at Needham, Mass.-based re- 
and firm 
TowerGroup. 

IT managers at hundreds of 
banks and retailers will now be | 


said 


search consulting 


widened its focus to other ver- 
ticals, such as 
and health 
Naugle. The customer roster 
now includes about 850 com- 


financial ser- 


vices care, said 


panies, he said. 

The Mitsubishi 
ANX customers such as Dofas- 
co Inc., a $2 billion manufac- 
turing company that produces 
for the 
packaging and automotive in- 
dustries. 


deal suits 


steel construction, 


“(This deal is] very promis- 
ing because it could help de 
velop ANX deployments in 
Asia Pacific,” 
Buchanan, business technolo- 
gy manager at the Hamilton, 
Ontario-based He 


said Doug 


company. 


-Transactions 


faced with installing the new 
specification during the next 
18 months. 

Tickets.com Inc. in 
Mesa, Calif., decided to jump on 
board Visa’s new authentica- 
tion network because the com- 


Costa 


pany believes the specification 
gives customers better security 
than chief competitor and mar- 
ket leader Ticketmaster. 

“When you talk to 
tomers about their biggest con- 
cern over conducting transac- 
tions on the Internet, security 
comes out as their No. 1 major 
concern,” said Andy Donkin, 
president of Tickets.com’s In- 
ternet ticketing group. 

Mark Redding, vice president 
of Web development at Tick- 
ets.com, he spent 
weeks configuring his 


cus- 


two 


Web 


said 


- Giving Credit Where It's Due 


A sampling of vendors that contributed to Visa International’s 


| 
| 


authenticated payment system: 
» Accenture 
>Cap Gemini 
Ernst & Young 
» Ericsson 
> Go Software 
>IBM 


»SkyGo 


Network Deal 


Mitsubishi has ambitious plans 
for ANXeBusiness. 


@ Mitsubishi plar 


said Dofasco’s EDI costs have 
been cut in half because ANX 
charges a flat fee to customers, 
as opposed to other bandwidth 
suppliers that charge based on 
the 
Further expansion could cut 


volume of transactions 


costs Buchanan 


said. D 


even more, 


servers for the new specifica- 
tion and had a “few issues” with 
that end of the implementation 
But, he added, “the coding liter- 
ally took less than a week.” 
Oliver Althoff, a spokesman 
for Fleet Credit 
Boston, said the installation 
difficulties the back end 
depend entirely on a financial 


Services in 
on 


service company’s 


network. For Fleet, which has a 


existing 


robust customer service net- 
work, it was an eight-month 
process that included adding 
Web servers both on- and off- 
site for redundancy and back- 
up capability. 

‘We had significant 
expenses around the 
card technology, but we had a 
robust servicing platform that 


some 
smart- 


we were able to piggyback on,” 
Althoff said. 

Randi Purchia, an analyst at 
AMR Research in Cam- 
bridge, Mass., with 
lacobuzio that the technology 
Visa is using is nothing new. 
Merchants will be quick to 
adopt it because verifying the 
cardholder’s identity promises 
to cut in half the number of 
chargebacks, or failed pur- 
chase attempts, they currently 
experience, Purchia said. 

“I'd agree that the smart- 
card solution is the place 
where this is all heading,” 
Purchia said. “It’s just 
moving as fast as we would 


hope.” D 


Inc. 


agreed 


not 





NEWS 


Nasdaq Launches 
Revised Order System 


Testing problems rouse concerns with users 


BY LUCAS MEARIAN 
S THI 
stock market pre- 
pared week 
for today’s launch 


NASDAQ 
last 


of its revised ver- 
sion of the Small Order Execu- 
tion System (SOES), analysts 
said problems revealed in trial 
runs making electronic 
communications network 
(ECN) companies hesitant to 
use the expanded messaging 
network. 

Nasdaq shut down for an 
hour June 29, after a technical 
snafu led to a slowdown of its 
SOES and SelectNet 
update networks. 

It’s that kind of mistake that 


are 


quote- 


has sparked skepticism over | 


the new SuperSOES service, 
according to Damon Kovelsky, 
an analyst at Meridien Re- 
search Inc. in Newton, Mass. 
Declining to comment on 
specifics, Kovelsky said Nas- 


daq’s test of its SuperSOES | 


network has revealed some 
“serious problems ... < ; 
technological nature.” 

In a statement last week, 
Washington-based Nasdaq 
Stock Market Inc. said, “Cur- 
rently, all systems seem pre- 
pared, and the launch date is 
firm. However, Nasdaq will not 
implement SuperSOES if we 
are not confident our system is 
ready. We are retaining the 
legacy system, so it will be pos- 
sible to revert to the old plat- 
form.” 


SuperSOES, which will op- | 


erate during normal market 
hours only, will increase the 
number of trades in one trans- 
action a thousandfold, from 
the current 999 to 999,999, Se- 
lectNet is currently used for all 
large trade orders. 

The first pilot of the Super- 
SOES system will launch today 
and will include 20 securities 
— 18 Nasdaq National Market 
securities and two test stocks. 


The full implementation of Su- 
perSOES will begin July 30 and 
will include all Nasdaq Nation- 
al Market securities. 

The hope, said analysts, is 
that the new communications 


But 
seem 


the ECN companies 
skeptical that Super- 
SOES is the answer. 

Margaret Nagle, a spokes- 
woman at Archipelago Hold- 
ings LLC, an ECN in Chicago, 
said the firm won’t use Super- 
SOES as its automatic order- 


execution engine in the imme- | 


network will eventually make | 


SelectNet obsolete. That sys- 
tem is clunky and slow and has 
been troubled by outages, they 
said. “It’s the Nasdaq platform 
ECNs love to hate,” said Kovel- 


sky. ECNs are private trading | 


networks that let people con- 
duct stock transactions with- 
out going through Nasdaq 
market makers such as Gold- 
man, Sachs & Co. in New York. 


| 


diate future because Archipel- 
ago already has its own. 

Nagle said Archipelago has 
tested the SuperSOES system 
with Nasdaq over the past few 
weekends and hasn’t seen any 
problems. “But things operate 
differently in test environ- 
ments than when you're live,” | 
she said. “We don’t know yet | 
how quickly quotes will be up- 


dated in this new system. We | 


Metricom Files for Bankruptcy Protection 


Says subscribers 


will stay connected | 


BY LINDA ROSENCRANCE 
Wireless Internet access pro- 
vider Metricom Inc. filed for 
bankruptcy protection last 
week but said it plans to keep 
subscribers to its Ricochet ser- 
vice connected during reorga- 
nization. 

Metricom filed a petition for 
reorganization under Chapter 
ll of the U.S. Bankruptcy Code 
in San Jose, where the compa- 
ny is based. Under Chapter 11 
protection, Metricom plans to 
“restructure its operations and 
debt obligations while main- 
taining its wireless network 
and continuing to provide ser- 
vice to customers and resellers 
in the 15 metropolitan areas it 
serves,” the company said in a 


| statement. 


“They could never find a 
place in their network where 
there was a high volume of 
traffic and [where] the econo- 
my played in their favor,” said 


| 
| 





Ken Dulaney, an analyst at 


| Gartner Inc. in Stamford, Conn. 


The company said it had 
40,900 subscribers at the end 
of March. Metricom charges 
up to $79 per month for unlim- 
ited airtime but offers volume 
discounts to $59 per month for 
organizations with more than 
20 accounts. 

Ricochet subscriber 
Foster, vice president 
for government and 
community affairs at 
Sanyo North Ameri- 
Corp. in San 
Diego, said that al- 
though he likes the 
Ricochet service, the 
price is somewhat prohibitive, 
especially since it’s offered in a 
very limited market. 

Foster said he’s concerned 
about Metricom’s bankruptcy 
filing. Ricochet works well in 
the cities where it’s offered, 
“but because it’s so expensive, 
I couldn’t really get enough 
people to buy into it. I talked to 
a lot of people, and they said 
it’s not offered everywhere 
they travel,” he said. “Maybe if 


Alan 


ca 


MOREONLINE 


To read more wireless 
news, visit our Wireless 
Resource Center 
www.computerworld.com 
/wirelesscenter 


| couldn’t 


wouldn’t want to give stale 
quotes.” 

Andrew Goldman, an execu- 
tive vice president at The Is- 
land ECN Inc. in New York, 
welcomed the launch of Super- 
SOES as a positive step. But he 
stopped ; 
whether Island 
consider the network as its pri- 
mary automatic order-execu- 


short of 


would ever 


tion engine. 

In fact, Nasdaq said in its 
statement that so far, no ECN 
has indicated that it will be a 
full SuperSOES participant 
willing to accept automatic or- 
der executions against its 
quotes. 

Meanwhile, Nasdaq spokes- 
man Scott Peterson said the 
June 29 outage won’t affect the 
launch of SuperSOES. 

Software problems have 
plagued the stock exchange’s 
SOES. Last year, trading had to 
be halted at least five times for 
up to ll minutes because of 


slowdowns in the 


the prices came down, more 
people would [subscribe].” 
Foster, who said he also sub- 
scribes to Earthlink, said Met- 
ricom needs to be more ag- 


|} gressive in marketing its prod- 


uct in order to survive. Howev- 
er, he said, “if they fail, there 
will be someone else” to take 
their place. 

Edwin Robertson, technolo- 
gy director at Corpo- 
rate Financial Ser- 
vices in Philadelphia, 
said he used the ser- 
vice on a trial basis 
about six months ago 
but decided not to 
subscribe. “They 
cover the areas I 
needed,” he said. “I live in 
Maryland, but the only place I 
could get a good [connection] 


| was in Philadelphia.” 


Robertson said Metricom’s 
only hope is to solidify its in- 
frastructure. “People have to 
have access to the Web 
through [Metricom’s] product 
[wherever they are]. Right 
now, it’s like buying a car with 
no tires.” 


saying | 





network, | 
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AT A GLANCE 


SuperSOES 


According to Nasdaq, SuperSOES is a re- 


| vised version of the Small Order Execution 


System, its current automatic execution 
trading system. SuperSOES will become 
the primary order-routing and auto- 
matic execution system for Nasdaq 
National Market securities. At the same 
time, these enhancements will re-establish 
SelectNet as a nonliability system for order 
delivery and negotiation 


which is provided by World- 
Com Inc. “We have resolved 
this issue and will continue to 
work with Nasdaq to take all 
steps necessary to ensure it 
does not recur,” WorldCom 
CEO and President Bernard J. 
Ebbers said in a statement. 

A Nasdaq official said the 
most recent shutdown was 
caused by a WorldCom techni- 
cian who entered a command 
into the live network instead of 
the test network on which he 
was running a program. D 


Ricochet also faces increas- 
ing competition from other 
providers of both wireless and 
wired services, Dulaney noted. 
“People in their homes are go- 
ing to use high-speed [land- 
line connections]; people in 
airports are going to use 
802.11b,” he said. 

The 802.lib wireless LAN 
standard operates at up to 1IM 
bit/sec. The Ricochet service 
tops out at 128K bit/sec. 

Metricom offers its high- 
speed service in Atlanta, Balti- 
more, Dallas-Fort Worth, Den- 
ver, Detroit, Houston, Los An- 
geles, Minneapolis-St. Paul, 
New York, Philadelphia, Phoe- 
nix, San Diego and the San 
Francisco Bay area. It offers a 
28.8K bit/sec. service in Seattle 
and Washington. 

The bankruptcy announce- 
ment follows a troubled start 
to the year for Metricom. In 
February, Timothy Dreisbach 
resigned as the company’s 
chairman and CEO. In March, 
the company announced plans 
to lay off about 25% of its 800 
employees. D 
IDG News Service correspon- 
dent Douglas F. Gray con- 
tributed to this report. 





Some VoIP conversations should be 
interrupted, but never by power problems 
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power protection solution for the VoIP environment. 
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across the WAN, over time. 
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BY DAN VERTON 
Users are applauding Oracle 
Corp.’s move to cut database 
software prices and discon- 
tinue the controversial power- 
unit pricing, but they’re taking 
a wait-and-see approach to 
Oracle’s new cost-conscious 
view of the world. 

Oracle CEO Larry Ellison 
announced the move to per- 
processor licensing last month, 
when he unveiled the com- 
pany’s Oracle9i database. The 
change came after a_ third- 
quarter earnings shortfall and 
a year of negative publicity 
that was fueled by user discon- 
tent with Oracle’s power-unit 
pricing model, which many 
characterized as exorbitant. 

Now, with per-processor 
based fees that reduce costs 
for some configurations by as 
much as 15% to 18% compared 
with the power-unit approach, 
users said they’re optimistic 
about their futures as Oracle 
customers. 

However, most said the econ- 
omy must improve before they 
can buy more software. 

“The new pricing is much 
more acceptable and compet- 
itive,” said Doug Cummings, 
manager of new technologies 
at Andover-Mass.-based Vicor 
Corp. “I think that the overall 
reaction to the policy change is 
positive. [However], with the 
economy like it is, we are just 
not spending like we were in 
the past.” 

Rich Niemiec, president of 
the International Oracle Users 
Group-Americas, a Chicago- 
based organization that repre- 


sents Oracle’s database users, | 


said users are telling him that 
the price changes came at the 
perfect time. “The main things 
that I’m hearing is that pricing 
is much simpler to understand 
[and] the price reductions 
come at a great time — when 
times are tougher,” Niemiec 
said. “It keeps people on Ora- 
cle and thinking about Ora- 
cle9i and when to move to it.” 
Other users, like Michael 
Karaman, vice president and 
chief technology officer for 
product development at The 


| Medstat Group Inc. in Ann 
Arbor, Mich., agreed that the 
price changes are welcome but 
said it’s too early to see any 
impact. “This is certainly a 
move in the right direction,” 
said Karaman. 

Oracle’s pricing spokesper- 
son was unavailable for com- 


BY DAN VERTON 
OMPANIES TODAY 
are at as much risk 
of falling victim to 
security informa- 
tion overload as 

they are of getting hacked. The 
number of security advisory 
services that claim to offer a 
way to stay ahead of the hun- 
dreds of technical vulnerabili- 
ties discovered each day has 
made it virtually impossible 
for companies to know for 
sure if they’re getting the right 
information. 

TruSecure Corp., a Reston, 
Va.-based security firm, claims 
it has an answer. Using the 
client base of 36,000 Internet- 
connected systems it monitors, 
TruSecure is developing a 
threat database that it says will 
rightfully shift the discussion 
toward a more effective secu- 
rity model: from one of what 
vulnerabilities are out there to 
one that highlights what hack- 
ers are actually doing. 

Other organizations use a 
similar approach, but the Tru- 
Secure database would power 
the first alert service based 


taining to hacker activity and 


MORE 


For more on security, see page 22 and our 
In Depth section starting on page 33. 





exclusively on threat data per- | 








NEWS © 
Oracle Users Cautiously Optimistic About Pricing Changes 


| 
| 
| 
| 
| 
| 
| 
| 


ment last week because of 
the holiday, and attempts to 
speak with someone else were 
unsuccessful. 

Yet, while Oracle’s move to 
per-processor pricing resulted 
in price reductions for users, 
some still say the $40,000 per- 
processor price tag for the en- 


TruSecure aims to monitor what hackers 
really exploit; some say that’s not so easy 


not on vulnerabilities in gener- 


al. “A vulnerability without a | 


threat isn’t worrisome,” said 
Peter Tippett, TruSecure’s 
chief technologist. “We're fo- 
cused on risk ... where there 


are both vulnerable systems | 


and people shooting.” 

The threat database will 
complement TruSecure’s vul- 
nerability database. It will be 
offered in conjunction with the 
company’s quarterly list of the 
top 10 hacker exploits that it 
says are responsible for 99% of 
all successful network intru- 
sions (see chart). 

“If we focus on protecting 
against the stuff that really 
happens, then we’re protecting 
against the relevant stuff,” he 
said. “A quarterly upgrade of 
systems gets you a twentyfold 
reduction of risk.” TruSecure 
couldn’t say when the database 


| would be completed. 


Other security experts and 
analysts agreed with Tippett’s 
general argument and acknowl- 
edged the need for threat infor- 
mation. But most questioned 
the ability of any one vendor to 
collect enough detailed infor- 
mation to be able to determine 
what exploits hackers are actu- 
ally using. They also pointed to 
potential problems with Tru- 
Secure’s focus on what Tippett 
calls “the easy stuff.” 


terprise software edition is a 
| little high compared with the 
| $22,000 IBM charges for a DB2 

enterprise license. John Chad- 

wick, a U.K. government Ora- 
cle user, said the price of an 

Oracle database could still put 
| off small and medium-size 
| clients in the U.K., where funds 


Firm ‘Tracks ‘Threats, 
Not Vulnerabilities 


“They’re completely right. 
Looking at a hundred vulnera- 
bilities a day does nothing for 
you,” said Tim Belcher, chief 
technology officer at security 
monitoring firm RipTech Inc. 
in Alexandria, Va. “However, 
I’m sure that without a very 
good monitoring base, it would 
be very difficult to tell what is 
being done successfully.” 

One organization that tries 
to offer both vulnerability re- 
porting and threat data is the 
CERT Coordination Center at 
Carnegie Mellon University in 
Pittsburgh. 

“We go to great pains to un- 
derstand which vulnerabilities 
are most serious and which are 
most likely to be exploited by 
hackers,” said Shawn Hernan, 
team leader for vulnerability 


W32 worm 
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are even harder to come by. 
“Customers are still very 


| much in ‘Let’s digest this all 


before we go ahead with any- 
thing’ mode,” said James Gov- 
ernor, an analyst at Illuminata 
Inc. in Nashua, N.H. Users are 
weighing what the changes will 
mean for them in practice, he 
said. “I don’t think Oracle can 
escape the premium-pricing 
tag overnight. I would say it’s 
still a little too early to call.” D 


handling at CERT. 

Hernan also warned against 
focusing too much energy on 
the easy exploits. 

“Intruders are adaptive and 
trying to get too simplistic just 
causes the intruders to pick 
something else,” he said. “If 
you fix the top 10 [vulnerabil- 
ities], they'll pick No. ll or 
No. 26.” 

John Pescatore, an analyst at 
Stamford, Conn.-based Gart- 
ner Inc., acknowledged that 
analyzing threats has its mer- 
its. But he also questioned the 
ability to know for sure what 
exploits are being used and 
warned that by focusing too 
much on random attacks, some 
companies could be lulled into 
thinking they aren’t vulnerable 
to specific, targeted attacks. 

“If the vulnerability exists, 
sooner or later someone will 
shoot at it,” said Keith Morgan, 
chief of information security 
at Terradon Communications 
Group LLC in Nitro, WVa. 
“Plug them all. But plug the hot 
ones first.” D 
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Dot-com Layoffs Down 


Dot-com layoffs are at their lowest 
level since November, while overall 
job cuts in the U.S. in June were up 
56% from the previous month, ac- 
cording to reports by outplacement 
firm Challenger, Gray & Christmas 
Inc. The Chicago-based firm report- 





Fights Back 


| statement issued by CA. 


| Company files lawsuit to stop Wyly’s 


takeover, cuts bonuses for top executives | 


| BY MARC L. SONGINI 


ed last week that layoffs at Internet- | 


related companies fell in June for 
the second consecutive month to 
9,216, a decrease of 31% from 
May's 13,419 cuts. Layoffs in May 
fell 24% from April's record high of 
17,554. June’s cuts are the lowest 
since November's 8,789. 


NextWave, Lucent 
Sign 36 Network Deal 


NextWave Telecom Inc. has signed 
an agreement with Lucent Technolo- 
gies Inc. to build the first phase of a 


third-generation (3G) digital wireless | 
| Chairman Charles Wang this 
| year will have their compensa- | 
| tion limited to base salary, | 


network, using the spectrum Next- 
Wave regained after a court battle 
with the Federal Communications 
Commission. Under the $100 million 
all-cash deal, Murray Hill, N.J.-based 
Lucent will begin construction of a 
wireless voice and data network in 
Detroit and Madison, Wis. Lucent 
will also deploy the initial phase of a 
data-only network in NextWave’s re- 
maining 93 markets, Hawthorne, 
N.Y.-based NextWave said. That 
work is expected to be completed 
within the next 10 months. 


EMC Sales Fall Short 


Once again blaming the slowdown 
in IT spending brought on by the 
softening economy, EMC Corp. last 
week warned that its financial re- 
sults will fall well short of expecta- 
tions for the second straight quar- 
ter. EMC now expects revenue of 
about $2 billion, 18% lower than 
the $2.43 billion Wall Street ana- 
lysts had forecast. The Hopkinton, 
Mass.-based data storage firm indi- 
cated that second-quarter profits 
will likely be only about one-third 
of what was expected. Earnings 
should total between $88 million 
and $132 million, EMC said, which 
is far lower than the $375 million 
figure analysts had predicted. 


S EXPECTED, the 


board and 


ciates Interna- 


| tional Inc. are showing stiff re- 
| sistance to Texas entrepreneur 
| Sam Wyly’s bid to oust them. 





First, they filed a lawsuit try- | 


ing to block Wyly’s takeover 


| attempt. Then, last week, they | 


moved to boost CA’s bottom 


line by announcing that top ex- 


ecutives won't receive any 


| bonuses in fiscal 2002. 


In a press release on its Web 
site regarding its preliminary 


| proxy statement, CA said com- | 


pany President and CEO San- 
jay Kumar and founder and 


benefits and stock options. 


man- | 
agement team at | 
Computer Asso- | 


| led by Wyly. 


| Wang’s salary is $1 million, and 
| Kumar’s is $900,000. 


The move appears to be an | 
| fought back by filing 


attempt to win the favor of 
shareholders, who have seen 
CA’s top executives receive 


massive compensation during 


growth. Shareholders are 
scheduled to vote Aug. 29 on 
whether to keep the existing 
board or replace it with a | 
board and management team | 


But a spokesman for the 


| Islandia, N.Y.-based company | 
| suit baseless and said 


said the bonus cuts had noth- 
ing to do with the pending 
vote. Wang and Kumar didn’t 
receive performance-based 
awards because of a “change in 
the firm’s business model, | 
which changed revenue recog- 
nition and resulted ina net loss | 
for the year,” according to a | 


| a time of lackluster revenue | 


Wyly, who last year sold his 
software firm, Sterling Soft- 
ware Inc., to CA, last month 


announced his intentions to re- 


place Wang as chairman and to 
break the company into four 
independent units. CA quickly 


a lawsuit to block 
Wyly, based in part 
on a noncompete 
clause in the Sterling 


sales agreement. 


| Ltd., which is spear- 
| heading 


A spokesman for 
Wyly’s Dalias-based 
investment company, 
Ranger Governance 


the proxy 
fight, called CA's law- 


it involves a “tortured 
misreading of the 
noncompete agree- 
ment.” He said the 
decision not to award 
executive bonuses is 
immaterial. 

“There are docu- 
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mented years of shareholder 


| abuse, and one instance of their 
| changing their egregious com- 


| pensation 


does not 
lackluster 


change 


years of perfor- 


| mance,” the spokesman said. 


| 
| 


CHARLES WANG, 
CA chairman 


SANJAY KUMAR, CA 
president and CEO 


In the proxy statement, Ku- 
mar said Wyly’s plans to break 
the company into four organi- 
zations just don’t make sense. 

“In addition to decreasing 
the company’s ability to offer 
integrated software solutions 
and engage in cross- 
selling, Mr. Wyly’s 
plan would increase 
overhead costs and 
potentially be disrup- 
tive to employees,” 
he stated. 

Analyst Rick Ptak 
at Hurwitz Group 
Inc. in Framingham, 
Mass., agreed. “Wyly’s 
plan sounds like a 
‘small is beautiful’ 
fantasy,” he said. “Cus- 
tomers are looking 
for solutions to com- 
prehensive business 
problems, not a 
bunch of indepen- 
dent tools they have 
to assemble into a 
solution.” D 





CA World to Push Business 


Analysts say more 
user support needed 


| for complex features 


BY MARC L. SONGINI 


| This week, customers of Com- 


puter Associates International 
Inc. will get a glimpse of the 
company’s latest iteration of its 
flagship network management 
application and hear how CA 
intends to execute its e-busi- 
ness plans. 

However, analysts suspect 
that the Islandia, N-Y.-based 
company is going to have some 
trouble helping users fully 
grasp the features of some of its 
more complex new products. 

At CA World, which opened 
Sunday in Orlando, the compa- 





ny is expected to unveil Uni- 
center 3.0, the next generation 
of its management product. In 
addition, it plans to announce 
that it will sell pieces of Uni- 
center as stand-alone prod- 
ucts, freeing customers from | 
having to buy the entire suite, 





said Tarkan Maner, vice presi- | 
dent of corporate 
marketing at CA. 

The company will 
also expand the num- 
ber of application 
programming inter- 
faces available for 
users to tie their CA 
products to heteroge- 
neous supply chain 
management, enter- 
prise resource plan- 
ning and customer 
relationship manage- 


JEFF ADAMS: “CA 
can’t seem to com- 
municate” about 
its technology. 


| ment applications, which will 


allow business process man- 
agement using Unicenter. 
Everyone has been talking 
about interoperability and busi- 
ness process management, but 
CA is actually starting to deliv- 
er on it, said Rick Ptak, an ana- 


| lyst at Hurwitz Group Inc. in 


Framingham, Mass. 

There are challenges, how- 
ever. In particular, users are 
having a difficult time under- 
standing the Jasmine ii middle- 
ware CA announced last year. 

“T’m still learning [about Jas- 
mine], and I’m im- 
pressed by its capa- 
bilities. But I’m start- 
ing to think that CA 
does a great job on 
the spin machine 
[but] can’t seem to 
communicate about 
those technologies,” 
said Jeff Adams, IT 
director at Canton, 
Ohio-based The Bel- 
den Brick Co. 

Adams said Belden 





Brick has had Jasmine ii in 
place since May to tie together 
12 databases, but the more uses 
the company finds for it, the 
more problems that arise. 

Belden also uses Unicenter 
Framework, and Adams said 
he’s interested in exploring the 
product line’s business process 
management capabilities. How- 
ever, he said that although he 
believes the technology is 
sound, he isn’t sure CA has con- 
sultants with the skills needed 
to map his company’s work- 
flows to the applications. There 
aren’t many people who under- 
stand how to apply technology 
to business, he added. 

Despite CA’s business pro- 
cess management offerings, it 
still has its work cut out for it, 
since competitors BMC Soft- 
ware Inc. in Houston and 
Austin, Texas-based Tivoli 
Systems Inc. have also been 
pushing on that front, said 
Corey Ferengul, senior pro- 
gram director at Meta Group 
Inc. in Stamford, Conn. D 
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Service Follows 


NEWS 


roducts After Delivery 


Aims to help manufacturers track unit-level data, reduce costs 


BY JAIKUMAR VIJAYAN 
BM HAS LAUNCHED a 
service aimed at helping 
manufacturing compa- 
nies track unit-level in- 
formation, potentially 

reducing product warranty 

costs and driving additional 
spare parts sales. 

The service, called IBM Ser- 
viceAfterSales, is offered by 
IBM’s Product Lifecycle Man- 
agement (PLM) group. It was 
designed to improve a compa- 
ny’s ability to track the perfor- 
mance and usage history of a 
product after it has been 
shipped to a customer. 

Using the centralized ser- 
vice, companies will be able to 
keep tabs on key product-diag- 
nostics information, usage and 
repair histories, maintenance 
and service records, and de- 


tailed case-based repair sce- | 


narios. 

French automaker PSA Peu- 
geot Citroén SA, for instance, 
is using the service to perform 
Internet-based remote diag- 
nostics on its cars, said Alan A. 
Chakra, IBM’s business unit 
executive in charge of the new 
service. 

Using onboard diagnostics 
and Internet links at dealer lo- 
cations, a Peugeot vehicle can 
report fault conditions to a re- 
mote service facility main- 
tained by IBM, which then ad- 
vises technicians on the cor- 
rective steps that need to be 
taken, Chakra said. 

Another example is a recent 
wireless remote monitoring 
and control service called 
Myappliance.com that’s being 
offered by Farmington, Conn.- 
based air conditioner maker 
Carrier Corp. and IBM. Among 
other things, the service allows 
Carrier’s new Web-enabled air 
conditioners to send fauit 
codes and other diagnostic 


| like 


| alerts instantaneously via mo- 
| bile phones, e-mail or fax to 
the company’s service techni- 
cians, Chakra claimed. 

This kind of unit-level inter- 
action helps companies reduce 
repair times and avoid the 
common mistake of unneces- 
sarily replacing good parts, an- 
alysts said. 

It also allows companies to 
gather information that can be 
used to anticipate and design 


Andy Chatha, president of 
ARC Advisory Group Inc., a 
Dedham, Mass.-based manu- 
facturing consultancy. 

These kinds of capabilities 
are crucial for manufacturers 
that are looking to aftermarket 
service, maintenance and re- 
pair for opportunities to cut 
costs and grow revenues, espe- 
cially in a slow economy, 
Chatha said. 

Despite the potential up- 
front costs, “there’s a lot of 
pressure on manufacturing 
companies to develop systems 
these” because of their 
long-term return on _ invest- 
ment, he added. 

Putting together the pieces 
needed to deliver such ser- 


Users unable to 
access contact lists 


BY JENNIFER DISABATINO 
About 12 million users of Mi- 
crosoft’s online instant mes- 
saging service lost access to 
their contact lists last week af- 
ter a July 3 hardware failure at 
the company’s headquarters. 
The problem had not been re- 





around future problems, said | 








vices isn’t trivial, said Ken 
Amann, an analyst at CIMdata 
Inc. in Ann Arbor, Mich. 


IBM is working with other | 


companies to integrate the 
components of an_ organi- 
zation’s product life cycle 
management system, such as 
product services, customer 
support, configuration and di- 
agnostics services, as well as 


| aftermarket 
and management teams. 


service support 


“The good news is that all 


| the pieces are there already,” 


Amann said. And advances in 
areas such as wireless and 
broadband technologies are 
making deployment easier, he 
added. The key lies in integrat- 
ing these different parts and 
figuring out how to optimally 
gather, store, access, share and 
mine the information that’s 
generated from such a system, 
he explained. D 
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Managing the 
Product Life Cycle 


IBM’s PLM partners include 
the following: 


> Enigma Inc.: Offers 
technology that helps manu- 
facturers combine product 
information with e-com- 
merce and decision-support 
systems. 


>Dassault Systemes 
SA: Supplies technologies 
to graphically define, share 
and manage product, pro- 
cess and resource informa- 
tion throughout the whole 
product life cycle. 
»>Cadam Systems Co.: 
Sells specialized desktop 


computer-aided design and 
manufacturing systems. 


Cargill Launches Internal Online Catalog 





Software from Cardonet will automate 
procurement of supplies from 70 vendors 





BY MARK HALL 

Cargill Inc.’s IT team this week 
is being trained on a new cata- 
log management application 


for company employees who | 


purchase products online. 
The $48 billion Minnetonka, 
Minn.-based conglomerate has 


added the E-Catalog Automa- | 
| tion Platform from Santa Clara, 


Calif.-based Cardonet Inc. to 
automate its procurement op- 
erations. The upgraded soft- 


MSN Messenger Loses Touch 


solved by the time of Comput- 
erworld’s print deadline Friday 
afternoon. 

“On a server, a disk con- 
troller failed and a backup con- 
troller had an error,” said a Mi- 
crosoft Corp. spokeswoman. 
“It’s no small potatoes, and 
they’re taking this very seri- 
ously.” 

The service, MSN Messen- 
ger Service, has 36 million 
users worldwide, so about one- 








ware includes both buyer and 
seller catalog management ca- 
pabilities; previously, the two 
functions were offered in sepa- 
rate products. 

The upgrade also adds fea- 
tures such as automatic classi- 
fication of content based on 
preset rules and category-level 
attributes. These features let 
catalog owners apply the same 
attributes with different rules 
for each category. 


With 12M 


third of the users were affect- 
ed, said the spokeswoman. The 
data wasn’t lost, she said, users 
just couldn’t get access to it. 

The spokeswoman said the 
problem wasn’t linked to a 
configuration glitch with Mi- 
crosoft’s new Passport service, 
which lets users register a sin- 
gle name and password that 
works at various Web sites, 
eliminating the need to rereg- 
ister at every site. D 





Jeff Robles, Cargill’s elec- 
tronic procurement architec- 
ture and implementation 
leader, said his team will ini- 
tially focus on cutting time out 
of the procurement process. 

“If you can take five pur- 
chase orders and put them into 
one, you’re also going to be 
saving money,” he said. 


Establishing Standard Rules 


Cargill will establish stan- 
dard rules for categorizing 
content so online catalog man- 
agers won't have to review and 
categorize content for every 
new catalog. 

For example, acronyms that 


| are used in catalogs will be 


identified and either automati- 
cally translated into their full 
names or brought to the atten- 
tion of a catalog manager for 
explanations. 

Cargill’s procurement sys- 
tem has 70 suppliers that offer 
a variety of office and building 
supplies, Robles explained. He 
said one of the company’s 
goals will be to create a pre- 
ferred list of suppliers. 

Cargill wouldn’t disclose 
what it’s spending on the proj- 
ect, but pricing for the Car- 
donet software starts at 
$125,000. D 
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Feds Asked to Boost 
IT Research Funding 


Federal funding is the backbone of 
the Internet and supercomputing, 
but future advances are in jeopardy 
because of a slowing federal com- 
mitment to IT research, according 
to some IT leaders. “We must act 
now to reinvigorate long-term IT 
research,” said Eric Benhamou, 
chairman of Santa Clara, Calif.- 


based 3Com Corp., during a hearing | 


of the House Science Committee’s 
Subcommittee on Research late last 
month. “If we do not take these 
steps, the flow of ideas that have 
fueled the information revolution 
over the past decades may siow to 
a trickle,” Benhamou said. The gov- 
ernment is slated to spend $1.76 
billion on technology research ini- 
tiatives during its current fiscal 
year. The Bush administration has 
asked for a 1% increase for the 
coming year. 


Vendor Investments in 
Start-ups Tanked in Q1 


Large IT vendors with venture capi- 
tal arms, which have reaped gener- 
ous returns on start-up investments 
in recent years, significantly cur- 
tailed investing during the first 
three months of this year, according 
to a recent PricewaterhouseCoop- 
ers survey. Intel Corp., for example, 
made 163 investments in start-ups 
last year, compared with only 19 
during the first quarter of this year. 
Cisco Systems Inc. made only seven 
investments in the first quarter, 
compared with 45 in all of last year. 


Watch Those Links 


Banks are being warned to exercise 
due diligence in linking third parties 
to their Web sites. Linking can pose 
a risk to an institution's reputation, 
particularly if the third party offers 
lower levels of security and privacy, 
said the Office of the Comptroller of 
the Currency in a bulletin released 
last week. The comptroller advised 
banks to examine those relation- 
ships and to ensure that customers 
aren't confused about the links. 


| 


| control 
electrical power from indepen- 


| Commission 
| discouraging electrical utilities 
from 
| power producers from access- 





NEWS 


IP Network to Monitor 
Power Grid in 14 States 


Goal is to pinpoint problems and make 
corrections before electrical outages occur 


| BY JAMES COPE 


NEW organization 
directed by fed- 
eral authorities to 
spot trouble and 
ensure competi- 


| tive access to electrical trans- 
| mission grids will soon deploy 
| an IP network to monitor and 
of | 


the transmission 


dent power producers through- 
out a 14-state area in the Mid- 


west. 


The Carmel, Ind.-based or- 


| ganization is Midwest ISO, an 
| independent systems operator 


(ISO) that arose from a 1999 
Energy Regulatory 
order aimed at 


Federal 


blocking independent 


issue, says Shull 


Mark Shull is president and CEO 
of Digex Inc., which hosts and 
manages networks for large 
corporations such as Ford Mo- 
tor Co. and New York-based 
Colgate-Palmolive Co. And he 
has a new boss; on July 1, 
WorldCom Inc. took a 55% 
stake in Laurel, Md.-based 
Digex. Computerworld’s James 
Cope spoke with Shull last 
week about some of the trends 
in network outsourcing. 


Q: What's the major challenge con- 
fronting managed hosting provid- 
ers and application outsourcers? 

A: From the provider’s per- 
spective, the most difficult part 
is the sheer complexity. You 


| ing transmission grids. Similar | 


organizations have 
country, including ISO New 
England Inc. in Holyoke, Mass. 


ISO’s CIO and chief strategy of- 
ficer, said the IP network, which 
is being built and managed by 
AT&T Solutions in Florham 
Park, N,J., will be the linchpin of 
the ISO’s operations. 

x * 
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have large numbers of services 
that you provide in a mission- 
critical way. Any one compo- 
nent may have 99.9% relia- 
bility. But you add multiple 
components, and the 
total system is going 
to be less reliable 
than any single appli- 
cation. 

A lot of what we’re 
doing is new. Up 
until now, most of 
what people were 
doing wes market 
info and basic con- 
sumer sales. Now it 
involves more impor- 
tant functions, such as supply 
chain management and work- 
ing with partners. We’re now 
seeing core business applica- 
tions [being outsourced]. 





Q: How about from the enterprise 


been | 
formed in other parts of the | 


The network command cen- 
ter in Carmel will be connect- 
ed with the centers 
for approximately 22 electrical 
utilities in the Midwest via 
AT&T’s frame-relay cloud. Ex- 
pected to go live in the middle 
of next month, the network 


control 


should enable operations per- 


Michael Gahagan, Midwest | 


sonnel at the ISO to look into 
regional transmission grids at 
a substation level, spot poten- 


tial trouble and make correc- | 


tions before an outage occurs, 
said Gahagan. 


An example of a _ typical 


| problem, he said, would be a 


SHULL: Data is 
pushed to cus- 
tomers in real time. 


THE MIDWEST ISO facility in Carmel, Ind., will monitor operations at 
approximately 22 electrical utilities in the Midwest. 


‘Digex CEO Gives Download on Hosting Nets 


customer’s point of view? 

A: There’s grave concern about 
loss of visibility and loss 
of control [among corporate 
IT people], particularly with 
those who have to 
manage the business 
applications. We have 
built a lot of automa- 
tion around deploy- 
ing and managing 
[equipment and ap- 
plications] in a 
way that all of 
the management data 
produced is generat- 
ed in XML, in real 
time. We push [that 
information] to customers. 


Q: What types of companies are at- 
tracted to the network outsourcing 
model? 

A: Because we’ve only focused 
on managed hosting from the 


| recurring 
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bottleneck 
major transmission route be- 
tween, say, Minnesota and Wis- 
consin. Should more power be 
required on either side of the 
bottleneck, the sensors at sites 
on the network would immedi- 


on a 


| ately alert personnel in the ISO 


command center of a potential 
problem, Gahagan explained. 
Console operators could then 
issue orders over the network 
to ready another generator to 
pick up the slack, he said. 
Currently operating in test 
mode, the ISO network is 


| monitoring 100,000 different 


points on the regional trans- 
mission grid every 60 seconds, 
said Gahagan, who declined to 
say how much the ISO network 
costs. 

Still, it isn’t feasible to moni- 
tor every substation in the re- 
gion, he said. 

To compensate, the ISO will 
use computer simulation tools 
to paint a probable picture of 
areas on the grid that aren’t di- 
rectly observable. The simula- 
tion tools are based on algo- 
rithms previously developed by 
NASA scientists to pinpoint the 
position of lunar landing mod- 
ules during Apollo space mis- 
sions, said Gahagan. D 


beginning, [customers] have 
been overwhelmingly large en- 
terprises. 

One reason they decide to 
outsource is because network 
technology is actually growing 
more complex faster. And 
there’s the speed to market. We 
already have the infrastruc- 
ture, the application services 
and the people to manage 
them. 


Q: Many providers have cut their 
staff in recent months. What about 
Digex? 

A: We have been increasing 
personnel — not at the same 
rate as last year, but increasing. 
On the sales front, a lot of our 
people have been coming from 
Web hosting providers. Our 
technical people have been 
coming from multiple places 
— from systems integrators 
and from other technology 
companies — because there 
aren’t really that many man- 
aged hosting providers. D 
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NEWS 


First Data Overhauling 
Backbone for E-Payments 


Firm undertakes IT upgrade in bid for 
B2C, B2B transaction-processing markets 


BY MICHAEL MEEHAN 
IRST DATA 

sprang to life in 1971 
backbone for 
what then 
emerging credit card 
Now the Denver- 
based payment services giant 
is in the throes of a massive IT 
upgrade that’s aimed at help- 
ing it retain its market-leading 
position as the industry con- 
its shift 


CORP 


as a 
was an 


industry. 


tinues to electronic 
formats. 


First Data Resources, a divi- 


sion of First Data, is the world’s | 


largest third-party transaction 
processor, with more than 1,400 
corporate issuers and 311 mil- 
lion accounts in its portfolio. 
Last year, the division brought 
in CIO-for-hire Charles Feld to 
shepherd the company into the 
e-commerce era. 
Feld, who was pre- 
viously CIO at Frito- 
Lay Cos. and Delta 
Air Lines Inc., is can- 
did about First Data’s 
challenges and the 
opportunity for it to 
become a central hub 
supporting all sorts 
of 
sumer and business- 
online 


business-to-con- 


to-business 
transactions. 


“I don’t know when, but 


cash and checks will be as dis- | 


tant a memory as wampum at 
some point,” Feld said. “Mon- 
changing, forever. We 
want to be the payment and 
transport for whoever wants 
business.” That 
every- 


ey’s 


to transact 
includes processing 
thing from consumer credit 
card purchases to multimil- 
lion-dollar business-to-busi- 
ness transactions. 
Feld has focused 


on sep- 


arating data from its transport. | 


Wireless purchases, sales made 


FELD: “Cash and 
checks will be as 
distant a memory 
as wampum.” 


through online exchanges and 
credit card transactions will be 
wrapped in uniform messaging 
protocols and routed through a 
layer of Unix machines, which 
will be used to help make deci- 


| sions about how to handle that 


data. Then the information 
will be routed back to a cluster 
of IBM OS/390 


which will process the trans- 


mainframes, 
actions. 


Market-Driven 
To a degree, First Data didn’t 
choose its business strategy. 
Corporations are busy re- 
tooling their back-office envi- 


ronments to handle more of | 


their sales and purchases in 


| electronic formats. Gartner Inc. 
in Stamford, Conn., estimates 
| that 


online business-to-busi- 
ness transactions to- 
taled $434 billion last 
year and will jump to 
$6 trillion by 2004. 
Recognizing that 
someone has to move 
that money, First 
Data spent $40 mil- 
lion last year to beef 
up its IT operations. 
Feld said the compa- 
ny 
between 3% and 5% 


plans to spend 


of its card revenue 


| this year to build on that effort. 


A First Data 
said that amounts to an addi- 
tional $40 million investment 
in the IT infrastructure up- 
grade this year. 

“There’s some serious heavy 
lifting involved in that,” Feld 
noted. “You’re going to run 
into problems if the buy moves 
at Internet speed but the back 


spokeswoman 


| end moves at rail speed.” 


According to analysts, on- 
line business-to-business trans- 
actions are often paid for with 
corporate purchasing cards is- 


sued by suppliers. That kind of | 


money-handling limits the size 


| and speed of electronic trans- 


actions. 
“I think it’s fair to say elec- 


| tronic payments have not been 


ready for prime time,” said 


| Laurie Orlov, an analyst at For- 


rester Research Inc. in Cam- 


| bridge, Mass. 


Orlov cited the inability of 


corporate accounts payable 


| systems to process business- 


| to-business transactions as the 


| principal 


| ing 


bottleneck, rather 
than the readiness of the bank- 
and 
world. 
Still, she that both 
sides need to progress with 
their respective IT infrastruc- 
tures to streamline the process. 
Feld he expects the 


noted 


said 


contracted with 
Padova, Italy, to create a cen- 


Syntrex in 


| tralized method of handling all 


financial-processing | 


of its transactions. 
Augusto Astesiano, 


tems director, said that most of 
his company’s customers will 
be working on TCP/IP net- 
works within two years but 
that 
mers will still prefer to send in- 


some established custo- 


formation using the X.25 trans- 
action protocols that the Soci- 
ety for Worldwide Interbank 
Financial Telecommunications’ 
network uses. 


“You have to be ready for | 


| any type of data,” Astesiano 


| work on First Data’s database | 


| company 


| customers 
| effort is completed, the compa- | 





| organization, 


and Unix wrapper to take an- 
other 12 to 18 months. The 


move is expected to help the | 


process whatever 


types of transactional data its | 


send. Once that 
ny will begin to build client- 


facing applications. 


| Leveraging Technology 


First Data isn’t alone in try- 
ing to carve out a position in 
the fast-evolving e-payments 
universe. 

For instance, 


Dutch credit 


insurance company NCM NV | 


has fathered a risk manage- 
ment services firm for online 


ible Ltd. 
“Everyone forgot that e-com- 
merce isn’t a brand-new way 


| of doing business,” said Jurgen 


Leijdekker, U.S. managing di- 
rector at eCredible. “You still 
have to get paid at the end of 


| the transaction, and you need 
to have the same support for 
| electronic payments as you did 


for paper ones.” 

Meanwhile, Italy’s largest 
automated interbank payment 
SIA SpA, has 


| and off-line trade called eCred- | 


said. 
Bob McCullough, an analyst 


SIA's | 
e-business and security sys- | 
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I think it’s 
fair to say 
electronic pay- 
ments have not 
been ready for 
prime time. 


LAURIE ORLOV, ANALYST, 
FORRESTER RESEARCH 


at Framingham, Mass.-based 
Hurwitz Group Inc., said the 
key for money-changers will 
be their ability to function in a 
| technologically heterogeneous 
world. 

“There’s going to be a lot of 
different ways to transfer mon- 
| ey, and someone's going to fig- 
| ure out how to do it if they 


| don't,” he said. 





Inside First Data's Conversion 


Charles Feld has spent the past 
decade as a ClO-for-hire at com- 
panies such as Burlington North- 
ern Sante Fe Railroad and Delta 
Air Lines. 

Now, as CIO of First Data's 
First Data Resources division, Feld 
is looking to update yet another 
legacy-system-dependent org- 
anization. 

Here are some of the keys to 
the major IT overhaul he’s current- 
ly driving: 

w Make applications easy to con- 
figure so programmers aren't re- 
quired to act each time changes 
need to be made. 

@ Standardize payments into a 
generic format. 

w Provide a packet of interfaces 
and rules options to credit-issuing 
companies reliant upon First 
Data's database, so they can 
change the rules and parameters 
on their own systems, as well as 
run their own customer relation- 
ship management applications 
based on the database. 

@ Use IBM's MQSeries middle- 
ware and Palo Alto, Calif.-based 
Tibco Software Inc.'s infrastruc- 


client-facing Unix machines back 
to IBM 0S/390 mainframes. 

w Leverage existing technology, 
such as IBM's DB2 and Web- 
Sphere middleware, instead of 
tapping into new technologies. 
“Everything we have is a firm 
piece of stuff that I've worked 
with, or the people at First Data 
have worked with,” Feld said. 
“There's no unknowns. We 
know exactly how that stuff 
works.” 

w Orchestrate the overhaul using 
a small management team, and 
take advantage of institutional 
knowledge. “I'm a firm believer 
that 30 years of knowledge is 
worth something,” said Feld. 
“That's a lot to rebuild, if you 
ignore it.” 

@ Set up governance process- 
es on technology and business 
sides to ensure that changes 

are properly implemented and 
adopted. “Most IT organizations 
are pretty weak on governance,” 
Feld said. “What's the opposite of 
governance? | guess it’s lawless- 
ness. Anyway, that’s what we're 
trying to avoid.” 





ture software to shuttle data from - Michael Meehan | 
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New Software Helps Baseball Scouts Track Prospects 


BY JENNIFER DISABATINO 
Somewhere, an old, wizened baseball | 
scout who never before touched a com- | 


puter is typing player statistics into his | shipped to the front office via the Inter- 
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laptop instead of scribbling on hotel 
notepaper. 
From the laptop, the data will be | 


2 





net for consideration by coaches and 
the general manager, instead of being | 
faxed to the IT department, where 
techies try to decipher the handwriting | 
and type it into an ASA400. 

“They surprised us,” Vince Crossley, 
network administrator for the Los An- 
geles Dodgers, said of the scouts. “They 
seemed to be able to adjust to this very, 
very well. We were expecting a lot of 
training and user issues and resistance. 
Some of the scouts had no computer ex- 
perience and are senior citizens.” 

Seven Major League Baseball teams 
use IBM’s Prospect Reporting and Or- 
ganizational Solution (PROS), collabo- | 
ration software that was specially built | 
for baseball scouts on Notes and Domi- 
no from IBM subsidiary Lotus Develop- 
ment Corp. in Cambridge, Mass. 

The Colorado Rockies, Kansas City 
Royals, New York Mets, Pittsburgh Pi- 
rates, Texas Rangers and Toronto Blue 
Jays also use the software. A few others 
are in line to start next year. 

Tony Thallman, product manager at 
IBM, said PROS is basically a Notes 
database with special forms created for 
scouts. The forms include space to list 


NHL Scores 
With Database 
On Draft Day 


BY JENNIFER DISABATINO 
This year’s top pick in the National 
Hockey League entry draft, Ilja Ko- 
valchuk, is from Russia. But for teams 
and reporters, getting his background 
information wasn’t a problem. 

NHL officials shaved hours off the 
process of selecting players in the draft 
by using a database accessible to teams, 
scouts and even journalists. The teams 
also save time by using e-mail to submit 
the names of draft picks, eliminating 
the need for runners to carry messages 
to and from team tables. 

Built on Notes 5 and Domino collabo- 
rative technologies from Lotus Devel- 
opment Corp. in Cambridge, Mass., the 
NHL database contains information 
about all prospective draft picks. Busi- 
ness rules built into the software allow 
those vetted by NHL scouts to automat- 
ically pass on to the next phase of the 
workflow process. The playing histo- 
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| the basics on a player, like his pitch 


speed, whether he’s left-handed or 
right-handed or how fast he runs to first 


| base. IBM custom-configures the forms 


for each team with 40 to 50 fields, and 
the data in those fields is measured and 
calculated to give each player a score. 

“It saved us time, so we can support 
other departments. Everyone from the 
upper management down to the scouts 
— they all love it,” said Tony Miranda, 
IT manager of the Blue Jays. Scouts for 
the Blue Jays used to send in documents 
through an old DOS-based system, and 
IT staff would have to manually clean 
up the data before sending it to the 
front office. 

Jim Edwards, senior director of infor- 
mation systems for the Royals, said he 
and others in the IT group used to have 


| to type often-illegible faxes into an 


AS/400. In addition to using the soft- 
ware to create reports, he’s able to send 
reports out via Notes because, unlike 
the Dodgers and the Blue Jays, the Roy- 
als use Notes for corporate messaging 
and have tied it to the PROS software. 

Edwards, Miranda and Crossley said 
they would like to set up virtual private 
networks so their scouts can access the 
PROS system from any Internet-con- 
nected machine. D 


ries of those who haven’t been vetted 
are compiled from scouting reports and 
local news coverage. NHL officials re- 
view that material before they approve 
the draft pick. 

The draft took place last last month 
at the home rink for the Florida Pan- 
thers in Sunrise, Fla. Some 60 worksta- 
tions, connected to two Notes servers, 
were available for the league’s 30 teams, 
NHL officials and journalists. 

Part of what Peter Del Giacco, vice 
president of IT for the NHL, has done 
with Notes and Domino is to automate 
the workflow process of the draft. Now, 
a team sends a request for a player as a 
draft pick in a Notes e-mail message. 
That message is automatically routed to 
the central scouting desk. Requests for 
preapproved players are automatically 
forwarded to the central registry desk. 
If approved there by NHL officials, the 
name goes to the podium, where there 
is also a workstation, and NHL officials 
post the name ona large display board. 

“Teams can run various types of re- 
ports. They don’t have all day to make 
these decisions,” Del Giacco said. “We 
also wanted to generate something that 
was point, click — fairly easy to use. We 
also didn’t want to take six months to 
write it.” This was the fourth year using 
the system for the draft. D 
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IBM Completes Bury 
Of Informix Database 


IBM last week completed its $1 bil- 
lion acquisition of Westboro, Mass.- 
based Informix Corp.'s database 
operations. About 2,500 Informix 
employees are shifting to IBM as 
part of the deal, which was agreed 
to earlier this year. Plans call for 
key technologies such as Informix’s 
analytical tools to be incorporated 
into future versions of IBM's flag- 
ship DB2 Universal Database. IBM 
said it will continue to sell Infor- 
mix’s existing database products, 
but DB2 will be the foundation for 
future offerings. 


IBMtoCut1,000 
Global Services Jobs — 


IBM will lay off approximately 1,000 
employees in its IBM Global Ser- 
vices division as part of an effort to 
align the skills of its workforce with 
demand from customers, a compa- 
ny spokeswoman confirmed last 
week. The affected employees will 
have 30 days to seek employment 
in other IBM business units before 
they're laid off, she said, adding 
that the layoffs will all take place in 
the U.S. The move echoes a similar 
step taken by the company in May 
of last year, when it announced a 
plan to eliminate about 1,000 em- 
ployees from the same division. 


| charge of 
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Commerce One, others miss targets 


BY MICHAEL MEEHAN 


SPRING THAW did- | 


n’t follow a harsh 
winter for B2B 


software vendors. | 

Many companies | 

last week reported that their 

| revenues are still plummeting. 

Commerce One Inc., i2 Tech- | 

nologies Inc. and BroadVision | 

| Inc. all announced that they 
expect quarter-to-quarter rev- 


enues to tail off at least 30%. 

It marks the second straight 
quarterly regression for these 
companies. Analysts said that 
they believe the slide will con- 
tinue and that it shows how 


companies are investing in IT | 


more conservatively. 
Kimberly Knickle, an analyst 


at Boston-based AMR Research | 
| Inc., said that implementations | 
of software for buying and sell- | 
ing goods electronically can be | 


lengthy and involved projects, 
costing $500,000 or more. “I’m 


not sure companies are willing | 
| to take that on right now,” she 
| said. “Nobody wants to be in 


the project that 


| keeps growing.” 


It has also become common 


| for IT projects to require a 


Short Takes 


SAPIENT CORP. is laying off 14% of 


its staff, or 390 workers, in the sec- 
| procurement has also lost some 
| of its luster, she added. 


ond round of cutbacks at the Cam- 
bridge, Mass.-based Internet con- 
sulting firm this year. . . . To cut 
costs, HEWLETT-PACKARD CO. is 
asking its 88,500 employees world- 
wide to volunteer to take either 
eight vacation days off without pay 
or a 10% pay cut. Employees may 
opt instead to take four vacation 
days without pay and a 5% pay cut. 
... New York-based TMP WORLD- 
WIDE INC., the parent company of 
online job-hunting site MONSTER.- 
COM, is buying rival HOTJOBS.COM 
LTD., also in New York, for approxi- 
mately $460 million. 


| “You 
from PeopleSoft, SAP and Ora- | 
| cle now, and it works, unlike 
| some of their earlier releases. 


| higher level of executive ap- 


proval than they once did, 
according to Laurie Orlov, an 
analyst at Forrester Research 
Inc. in Cambridge, Mass. B2B 


“The [enterprise 


| planning] guys are savvy about 


procurement now,” Orlov said. 
can get procurement 


For the B2B vendors, that 
means it’s not differentiation 
through newness anymore.” 
SAP AG actually rushed to 
the aid of Pleasanton, Calif.- 
based Commerce One about 


| two weeks ago, with a $225 mil- 


resource | 
| Check Point Software 
nologies Ltd. in Redwood City, | 
investors | 





lion investment worth approx- | 
imately 20% of Commerce | 


One’s_ stock. Many 
viewed the investment as a ma- 


analysts 


jor step toward SAP’s eventual | 
| supply chain moorings. In par- 


purchase of its smaller partner. 


“Long term, the marriage | 
will take place, but probably | 


just for the technology and 
nothing else,” said Hari Srini- 
vasan, an analyst at Banc of 
America LLC in San Francisco. 


Earnings warnings, 


layoffs hit sector 


BY JAIKUMAR VIJAYAN 


Computer _ security 


which until recently seemed | 
impervious to the broad slow- | 
down in IT spending, are final- | 


ly beginning to feel the pinch. 


Last week, Atlanta-based In- | 
ternet Security Systems Inc. | 


(ISS) announced that its sec- 
ond-quarter earnings 


share to break-even, on rev- 
enue of $50 miliion to $52 mil- 


lion. Analysts had expected the | 


intrusion-detection vendor to 
make a profit of 15 cents 
per share on revenue of $65 
million. 


Network _ security 


Calif., also warned 
last week that while its rev- 


enue would be up sharply from | 


the same period last year, it 


would fall slightly below ana- 
lysts’ expectations, reaching | 
| about $140 million. 


Both companies blamed a 
slowdown in corporate spend- 
ing for the lowered earnings 
forecasts. 


firms, 


would | 
range from a loss of 2 cents per | 


vendor | 
Tech- | 


B2B Vendors Suffer 
Another Bad Quarter 


“It doesn’t look like there’s a 
lot of revenues to be had from 
Commerce One.” 

However, in a conference 
call, SAP CEO and co-founder 
Hasso Plattner called Com- 
merce One’s marketplace soft- 


| ware a key in SAP’s attempts to 


break free from its back-office 


ticular, he said, joint develop- 
ment efforts with Commerce 
One would help SAP gain a 
foothold in private procure- 


| ment exchanges and help with 


B2B integration. 


‘Security Firms Hit Bumps 


The warnings sent 
meting and hammered those of 
other computer security firms. 

ISS, which at its 12-month 
peak traded at more than $108 
per share, lost more than 40% 
of its value on July 3, when 
it dropped to just over $20. On 


the same day, Check Point | 


dropped more than 12 points to 
a little over $44, well short of 
its 52-week high of $118. 

Other computer security 
stocks that were caught in last 
week’s downdraft included 
those of Network Associates 
Inc., which dropped more than 
6%; RSA Security Inc., which 


Job Insecurity 


A sampling of security firms 
that have resorted to layoffs: 


Pilot Network Services Inc.: 
Laid off all its workers and 
suspended normal opera- 
tions in April 

724 Solutions Inc.: Cut work- 
force by 12% last month 


Entrust Technologies Inc.: 
Made 30% cut last month 


F-Secure Corp.: Laid off 95 of 
its 445 employees in April 


both |} 
| companies’ stock prices plum- 
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He insisted that two down 
quarters in a slow economy is- 
n’t reason to abandon a compa- 


| ny that has proved to be a valu- 


able technological partner. “We 
make a major investment here 
because we see a huge busi- 
ness opportunity,” Plattner said. 

Redwood City, Calif.-based 
BroadVision saw its revenue 


| tumble from an all-time high of 


$136.9 million in the final quar- 
ter of 2000 to $91.1 million in 
the first quarter of 2001, and to 
an estimated $54 million to $60 
million last quarter. Likewise, 
Dallas-based i2 saw its num- 
bers drop from $357 million in 
the first quarter of 2001 to an 
estimated $235 million to $240 
million this past quarter. 

Both companies said they 
were hurt by general slowness 
in the economy. D 


fell nearly 8%; and Certicom 
Corp., which declined more 
than 5% to less than $3 per 
share, well below its 52-week 
high of more than $47. 

The earnings warnings — 
and the sell-off that followed 
— show that the security sec- 
tor isn’t as protected from the 
economic slowdown as previ- 
ously expected, said Charles 
Kolodgy, an analyst at IDC in 
Framingham, Mass. Analysts 
once argued that security 
spending would remain rela- 
tively untouched because of 
heightening hacker threats and 
data privacy issues. 

“I thought the security sec- 
tor would hold up better than 
some of the other areas,” 
Kolodgy said. Instead, the de- 
ferred spending, delayed up- 
grades and canceled projects 
that have affected other parts 
of the high-tech industry ap- 
pear to have hurt the security 
sector as well, he said. 

For example, during the past 
several weeks: Hayward, Calif.- 
based Certicom, which sells 


| security software to wireless 


Internet providers, said it 
would cut its workforce by 
30%; Seattle-based Watchguard 
Technologies Inc. laid off 16% 
of its workforce; and shares 
of U.K.-based Baltimore Tech- 
nologies PLC briefly dropped 
to less than $1 after it an- 
nounced layoffs. D 
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MARYFRAN JOHNSON 


Knowledge Quest 


OUR COMPANY’S CURITY NEEDS are as unique as your 


fingerprints. So nel do you turn for the exact answers 
you need? You talk to your peers, attend conferences (when 
travel budgets allow), surf the media in print and online, 


listen to vendors and pundits, test 
products and hold your breath a lot. 

One big reason it’s difficult to ex- 
hale: Adequate budgets to cover your 
security needs are rare. Datamonitor, 
a global market analysis firm, esti- 
mated recently that the total cost of 
online security breaches to U.S. cor- 
porations runs to $15 billion annually. 
Yet only 30% have implemented 
enough protection, and half of those 
businesses spend less than 5% of 
their total IT budgets on security. 

On your mental checklist of “Se- 
curity Things to Worry About,” the topics must 
move around quite a bit. One week, it’s a virus 
rampage affecting e-mail servers nationwide; 
the next, it’s another revelation about the hav- 
oc vengeful employees can wreak on internal 
networks. If you had to name your No. 1 securi- | 
ty concern a month from today — with ab- 
solute certainty — you probably couldn't. 

That makes your information needs much | 
more dynamic than ever before. You don’t need | 
a random smattering of interesting articles 
about IT security as much as you need a center 


MARYFRAN JOHNSON is 
editor in chief of Comput- | 
erworld. You can contact | 
her at maryfranjohnson@ | 

—— com. i 


of knowledge that keeps growing. 


our new monthly In Depth series on 
enterprise IT topics and technolo- 
gies, two-thirds of this issue, starting 
on page 33, is devoted to an explo- 
ration of the risks and rewards of en- 
terprise security. More important, 
the online parts will expand into a 
knowledge center worth returning 
to as your needs change. 

For example, one of our In Depth 
print stories (“False Alarms,” page 
42) probes the managerial ups and 
downs of working with intrusion-detection 


| systems (IDS). The companion online-only 
| component supplies IDS product data plus an 
| expert research paper about some inherent 


flaws in these systems. In that same fashion, 
each story in the package is linked to a richer 


| set of dynamic resources online at Computer- 


world.com. 

In future installments, we'll tackle other IT 
topics. Let us know what you’d like to see in 
these knowledge centers. We’ll do our best to 


| help you learn more and worry less. » 


| account for only 19% of 

| help desk calls, but that’s 

| still the second highest re- 
| quest after those for more RAM to run popular 

| programs — and single sign-on still hasn’t solved 
| the password reset problem. 
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PIMM FOX 


‘Want to Save Some 


‘Money? Automate 
‘Password Resets 


OW MANY applications do you 
support? In 1995, IT departments 
supported an average of 25 per 


| user. Now, that number is somewhere 
That’s why, in the first installment of | 


between 100 and 200. The cost of pur- 


| chasing those apps has long been absorbed, but 


ongoing support requirements are costly, ubiqui- 


| tous and cover mundane tasks. 


Indeed, the second most costly request to an IT 


| help desk is to reset a pass- 


word (about $14 to $28 a 
pop, according to 
Gartner). Six years ago, 


| about 25% of help desk 

| calls were about pass- 

| words, and having a single 
| password and user ID (or 
| single sign-on) for all ap- 


plications was the Holy 
Grail. 
Today, password resets 


PIMM FOX is 
Computerworld's West 
Coast bureau chief. Con- | 
tact him at pimm_fox@ 
computerworld.com. 


Nevertheless, improving the password reset 


| function can save IT much-needed money at a 
| time when IT budgets are under siege. 


Unfortunately, there have been two culprits 


| holding back change. 


The first involves organizational risk manage- 


| ment. Kris Brittain, research director at Gartner, 
| says she recently visited a financial services orga- 


nization that was so concerned about a possible 


| breach of security that it changed the frequency 


of password resets from every 90 days to every 30 


| days. In addition, you couldn’t choose a previous- 
| ly used password for at least six months. “C 
| the help desk for password resets jumped 50%,” 

| Brittain says, and employees routinely used sticky 


alls to 


notes on the fronts of their monitors to remember 
their passwords. 

How secure is that? 

Clearly, a sane password policy must take into 


account that many users have a corporate LAN 
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identification and password, passwords for a vari- 
ety of Unix machines and a database password. 

Better to place your risk-management assess- 
ment in the context of IT support by determining 
how much it will cost if, say, a quarter of your em- 
ployees start calling the help desk to reset their 
passwords. 

The second culprit is the lack of an appropriate 
technology to maintain password security while 
giving users the tools to self-select and reset pass- 
words. But several technologies are removing this 
stumbling block. 

For example, Support.com in Redwood City, 
Calif., has integrated P-Synch password manage- 
ment software into its support automation offer- 
ing. That’s because “it’s a quick and compelling 
return on investment for companies to slash the 
amount of time a help desk spends resetting pass- 
words,” says Gary Zilk, product marketing man- 
ager at Support.com. 

So, don’t hesitate; automate. And don’t forget 
your password. After all, no one minds safe cost 
savings. D 


Companies Need 
Security Pros With | 
More Varied Skills 


OMPANIES THINK about their se- 

curity practices a lot like we think 

about going to the dentist. We 
have to go, but we don’t want to; we'll 
put off painful yet necessary gum 
surgery on the gamble that our teeth won’t one 
day fall out. But then we see someone with no 
teeth and become fright- 
ened enough to schedule 
an appointment. And floss- 
ing is not unlike changing 
our user passwords: We're 
supposed to do it regularly, 
and it certainly makes 
good sense, but... 

Corporate security is at a 

crossroads. Companies 
must stop fiddling around 
and take a hard line on 
what’s negotiable and non- 
negotiable for protecting 
their most valuable assets. 
Amid all the latest news 
about privacy, hacked net- 
works and virulent electronic “love letters,” a more 
interesting story is what’s been happening in secu- 
rity-related employment. It has one of the widest 
supply-and-demand gaps of any IT job category: 


DAVID FOOTE is founder 
and research director of 
Foote Partners LLC, an IT 
workforce research firm 

and security manage- 
ment consultancy in New 
Canaan, Conn. Contact 

him at dfoote® 
footepartners.com. 
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| Employers report vacancy rates as high as 90%. 


But here’s the worst part: Employers aren't real- 
ly sure what they should be looking for in hiring 
security professionals. Meanwhile, Rome burns. 

While knowledge of the technical side of secu- 


| rity is obviously a big factor in filling these posi- 


tions, here are equally critical success factors in 
both high- and low-level security jobs: being 
adept at corporate politics; possessing business 


skills and aptitudes; having good relationship 
| ° 
management skills; and being able to market, sell 


and negotiate outcomes. That’s because we des- 
perately need to motivate managers to take on se- 
curity with the same vigor they reserve for, say, 


; new product development. You can’t do that with 


a bunch of techies running security, which is the 


case in many places. 


Security professionals will always need to mas- 
ter newer technologies for protecting IT systems. 
But they’re under increasing pressure to under- 
stand their company’s entire business and pin- 
point the security breaches that are most threat- 


ening to the bottom line. 


In the next few years, security managers will 


need to focus on complying with new security 
and privacy regulations in health care and fi- 
nance; developing stronger user-awareness 


policies; 


addressing a bigger basket of security 


issues, especially the growth of wireless access; 
running business-to-business exchanges; and 


TCO Is More Than a Financial Benchmark 


HANKS TO J 

mar Vijayan for at- 

tempting to move 
the image of total cost of 


| ownership (TCO) past 


that of a financial bench- 
mark that simply gener- 
ates a dollar figure [The 
New TCO Metric,” Busi- 
ness, June 18]. CIOs must 
be able to quantify the 
total costs juxtaposed 
against level of service 
and to address opportu- 


the business operation 
and the IT organization. 
This requires construct- 
ing systems and process- 
es for tracking current 
service levels and end- 
user satisfaction. Only 
with both TCO and ser- 
vice measurement can 
the CIO shift from meet- 
ing with the IT depart- 
ment over technical im- 
plementation details to 


| 
| 
| 


giving IT the information | 


required to talk at the 
CEO level about the real 
business of the company. 
Kevin Cevasco 

Burke, Va. 


| kevincel@excite.com 


_ Another Mighty Ant 


HE ARTICLE “Ant 
Colony IT” [Fu- 
ture Watch, June 


| 18] was quite interesting, 
nities and savings both in | 


though it failed to cover 


| perhaps the largest real 


application based upon 
the concept. The Bullet 
Train Operation Simula- 


| tor has a capacity of 
| 40,000 agents, out of 
| which more than 30,000, 


including trains, signals 
and train sensors, simu- 
late any what-ifs in the 
train operations. The 
central control computer 


| can’t tell whether the 
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| defining the role of application service providers. 


Companies should be recruiting a breed of se- 
curity professional who possesses softer skills, in- 
cluding a positive attitude, diplomacy, patience, 
attention to detail, tenacious abstract problem- 


hard-line ideas. 


| solving ability and a strong will. This will help 
them gain visibility and acceptance in selling 


As for technical areas, security pros now need 


network engineering and operations skills, re- 


| gardless of their specialization. New security 


niches — forensics and intrusion detection, for 


tion is desirable. 


| example — are hot, and having a niche certifica- 


But employers must scrutinize job candidates 
for how they work with others, on teams and with 


| customers, since that’s important in cutting 

| through resistance and raising security mind 

| share. And why shouldn't they hire reformed 

| hackers, who have pure tech skills, tenacity and 

| creativity? Casting a wider net will narrow the se- 
| curity employment gap and update the function. 


Corporate debates on policies relating to secu- 


rity standards, user awareness, remote/wireless 
| access, acceptable authentication methods, risk 
| management, privacy trade-offs and outsourcing 
need expediting. This will be done only with a 


more astute, hands-on security team that speaks 


| to the business persuasively, knows how to fi- 


nesse a corporate agenda and has the chops. B 


connected system is the 
real train system or the 
simulator. 

Seiichi Yaskawa 

Yaskawa Electric Corp 

Tokyo 
yaskawa@yaskawa.co.jp 


Bad Tite, Good if 


HILE I HATED 

the exhortative 

title of Peter 
GW. Keen’s column “Go 
Mobile — Now!” [Busi- 
ness Opinion, June 11], I 
enjoyed reading the an- 
swers to the quiz. Even 


| where I knew the answer, 


I got more information. 
Gobind Tanaka 
Los Angeles 


Software ‘Landlords’ 
F YOU BUY a house 
that causes you harm, 
the costs are yours. If 
you rent a house that 
causes you harm, the 


| costs are the landlord’s. 
| I’m not a lawyer, but it 


tere +f 
tli 


1A eness te mo the 
WOurIG SCC tO Tic tia 


| software vendors are go- 
ing from selling to rent- 


ing software, they could 
realistically be sued for 

damages caused by their 
software [“Don’t Be 


| Fooled by the Allure of 


| 
| 
| 


‘Renting’ Software,” 
News Opinion, June 25]. 
Paul Olson 
Director, computer operations 
Total Info Services 
Tulsa, Okla 

More Letters, page 30 


| COMPUTERWORLD welcomes 


comments from its readers 
Letters will be edited for brevity 
and clarity. They should be ad- 
dressed to Jamie Eckle, letters 
editor, Computerworld, PO Box 
9171, 500 Old Connecticut Path, 


| Framingham, Mass. 01701 


Fax: (508) 879-4843. Internet 
letters@computerworld.com 
Include an address and phone 
number for immediate verification 











FRED WIERSEMA 


How Market 
Leaders Reach 
Out to Customers 


HERE’S LITTLE DOUBT that mar- 
ket leadership and the savvy use 
of IT have been synonymous for 
the past decade. The firms that are dominating 
their industries today — growing two to three 
times faster than their 
peers — were among the 
first to exploit IT to re- 
engineer their business 
processes and eradicate 
waste from operations in 
the early 1990s. In doing 
so, they laid the founda- 
tion for their current suc- 
: cess. My latest research 
FRED WIERSEMA is author 
of the new book The New 
Market Leaders: Who's 
Winning and How in the 
Battle for Customers 
(The Free Press) and a 


fellow at business 
strategy and technology 


also ranks them among 
the most astute deployers 
of the Internet. Moreover, 


front of using IT to cope 

with today’s biggest busi- 
ness challenge: a scarcity 
of customers. 

In today’s crowded mar- 
kets, the problem isn’t 
building capacity or gen- 
erating new products and information. The real 
bottleneck is finding customers for our prodigious 
output. Of course, that condition becomes exacer- 
bated in a slow economy, with lots of suppliers 
clamoring to woo customers. Rising above the din, 
the new market leaders recognize that customers 
get flooded with choices and information, yet 
have less time and patience to sort through the 
abundance of offerings. These leaders come to the 
rescue by craftily using IT to get and hold cus- 
tomers’ attention, sometimes offering an added 
value that keeps customers coming back. 

Consider how market leader EMC helps cus- 
tomers stay on top of a little-mentioned corollary 
of Moore’s Law: information storage require- 
ments double every 18 months. Not only do 
EMC’s innovative storage products scale well, the 
company’s true appeal is that it allows customers 
to sleep better at night. Each of EMC’s 45,000 data 
storage systems in operation worldwide is con- 
nected to one of three “Call Home” centers in 
Massachusetts, Ireland or Japan. Whenever an 
EMC unit anywhere in the world senses some- 
thing wrong, it automatically reports the problem 
to the nearest center, and potential disaster is 
averted. Service to prevent, not repair, is indeed 
service par excellence. EMC’s remote monitoring 


International Inc. in 
Chicago. Contact him at 
Fred.Wiersema® 
diamondcluster.com 
_ 


firm DiamondCluster | 
i 
' 
i 


these firms are in the fore- | 


; the Department of Justice 





| anew Republican adminis- 


| back to the negotiating 


NEWSOPINIO 


| and diagnostics capability has created a virtual, 


umbilical link with precious customers. 
Or consider UPS. In the past decade, the com- 


| pany has used IT to transform itself into a high- 


tech, customer-obsessed powerhouse that’s not 
just distributing goods, but also enabling global 


| commerce. Particularly striking is the company’s 
| ambitious and foresighted move to use wireless 
| technology to boost the value of its services. The 


delivery information acquisition device (DIAD), 
is a handheld computer that has helped turn UPS 
into the world’s largest user of mobile communi- 


| cations technology. It allows UPS drivers and 

| handlers to follow each package and feed large 

| amounts of tracking data into the company’s mas- 
| sive data centers in New Jersey and Atlanta. Now 


| in its third generation, DIAD has cut the firm’s 
| cost of tracking to less than 10 cents per package. 


But most importantly, UPS customers now use 
this tracking information to cut their inventories, 


| manage their systems and keep their receivables 


and late payments under control. UPS is deftly 


using IT to boost its services’ appeal and value. 
These and many other new market leaders 


| demonstrate that the imaginative and bold use 
| of technology is the foremost way to transform 


customer scarcity into customer abundance. DB 
MICHAEL GARTENBERG 
Microsoft and 


The IT World: 
After the Verdict 


HE PHILOSOPHER Friedrich 

Nietchze said, “That which does 

not kill you makes you stronger.” 
With last month’s appeals court ruling 


| on the antitrust case, 


Microsoft has survived its 
most critical challenge to 
date. So what does the fu- 
ture likely hold, and how 
does this victory affect Mi- 
crosoft’s customers and 
competitors? 
First, the company must 
resolve its legal issues with 
MICHAEL GARTENBERG, for- 
mer vice president and 


lead Microsoft analyst 


(DOJ). It’s likely that with 
at Gartner Inc., is an 


tration, Microsoft can go analyst and consultant. 


Contact him at michael. 
table one more time and Gartenbery@mindspring.com. 
hammer out a new consent 

decree and come to terms with the DOJ and the 
attorneys general for the states involved in the 


case. If that happens, it will smooth the path for 


independent technology } 
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the launch of Windows XP, Xbox and .Net. 
Bolstered by the court verdict, Microsoft will 
continue to integrate new technologies into its 
products. Both the new messaging client and me- 
dia technologies will remain parts of Windows 


| XP, and the HailStorm Web services initiative will 


expand at a much greater pace. Integration does 
offer benefits to users in terms of usability and 
reliability, and the vendors that compete with Mi- 
crosoft in these areas will need to carefully evalu- 
ate how these integrated technologies will affect 
their customers’ buying patterns. 

It’s also likely that as a result of the verdict, 
the company will no longer pitch the larger .Net 
project as a totally platform-neutral technology. 
Instead, the Web-based platform for software 
services will become more tightly coupled with 
XP for the best possible user experience (though 
Microsoft will continue to offer parts of the .Net 
framework and functionality on other platforms). 

For organizations that have been dealing with 
Microsoft and awaiting an outcome of its legal 
battles before deploying new technologies, the 
worst of the battle is over. But as Microsoft shifts 
to services and nonperpetual license agreements, 
it’s time for Microsoft customers to decide how 
they want that relationship to change, which 
technologies they will roll out and when. Critical 
planning decisions regarding enterprise projects 
such as the rollout of Office XP and Windows XP 
must be tied into license planning in order to 
minimize both long- and short-term acquisition 
and maintenance costs. Decision-makers must 
question the short-term cost benefit of signing up 
early vs. maintaining older technologies longer, 
and they must address the issues of being locked 
into a platform that’s rented rather than pur- 
chased. 

It’s been a tough year for Microsoft, but even 
with the specter of a breakup looming large, the 
company focused on the next generation of Win- 
dows and Office, announced plans to enter the 
world of consumer electronics, and began the 
long road that will shift it from shrink-wrapped 
software to “software services.” The appellate 
court’s verdict was a victory for Microsoft, and 
the harsh rebuke of Judge Thomas Penfield Jack- 
son, who issued the breakup order, was the icing 
on the cake. 

With its legal issues largely behind it, Microsoft 
is now poised to face the challenges of the ever- 
changing technology landscape. By allowing the 
free markets to decide the success of technology 
standards, the court has restored a level playing 
field by not crippling Microsoft and allowing it to 
compete effectively in current and future markets 
and retain control over features and technology 
integration. This is something all companies must 
be allowed to do. Now, it’s up to user organiza- 
tions to embrace or reject products as they see fit, 
and the competition will be in the execution of 
technology strategies, not legal strategies. D 
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Out of Thin Air 


he world’s greatest 
golfers tee off July 19 at the 
British Open at Royal Lytham 
& St. Anne’s course, a unique 
piece of technology will help 
television producers replicate 


in 
I 


for rucial but invisi 


VIEWEr'S a ¢ 
ble major factor—the wind 
With the Unisys wind stick 
and associated technology, the 
television audience can more 
closely experience what the 


golfers feel 


particularly at 
Britain's breezier courses,” 
notes David Fox, Director of 
Sports Marketing at Unisys 
Unisys, which has provided 
scoring for The Open for 22 
consecutive years, developed 
wind stick technology in response 
to a challenge from ABC Sports, 
which wanted to enhance stan 
dard television graphics show 
ing things like distance to the 
hole and driving distance 
The wind is critical to the 
notes Jack 


focus 


Golf Producer at ABC 


player s 
Graham 
With the 


wind stick, we can 


create graphics that show the 
vind speed and direction at the 
moment the golfer swings. We 
an show how it changes dur 
ng the ball’s flight and how it 
affects the shot. It’s great stuff.” 
The wind stick is just one way 
Unisys is helping bring the excite 
ment of tournament golf into 
living rooms around the world. 
Unisys is proud to provide 
scoring and wind stick technol 
ogy at the 130th British Open 


Golf Championship, July 19-22 
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Paying the Price for Our Choies 


VER THE PAST 10 years, I’ve 

seen some amazing manage- 

ment moves in companies for 
which I have consulted. Some IT man- 
agers couldn’t get NetWare out of their 
companies fast enough. Most of the 
time, their reasoning wasn’t definable. 
I was left to assume it was a combina- 
tion of not understanding technology 
and feeling warm and fuzzy. I’m con- 
vinced it rarely, if ever, had a business 


case. Now, when I heard about the 


change in licensing for Microsoft prod- 
ucts like Office [“Microsoft License 
Shift Creates Turmoil,” News, May 21], 
I started watching for some sort of 
product pricing announcements from 
Corel. Surely this would be a good time 
to garner some broader appeal by of- 
fering great licensing deals. I heard 
nothing. Then it hit me: Microsoft had 
filed with the SEC to help bail out 
Corel. Say goodbye to options. It’s hard 
to keep innovating when your revenue 
sources dry up. Then there’s all that di- 
rection from your new partner. Soon 
those who don’t need “warm and 
fuzzies,” like small to medium-size 
companies and consumers, will have 
no other options. Higher costs and 
forced upgrades we don’t want or need 
will be the norm. Directly or indirectly, 
we'll all pay this price. So next time 
one of you IT managers gets frustrated 
because of rising costs, don’t blame Mi- 
crosoft. Microsoft saw a problem years 
ago and focused its efforts on market- 
ing to the warm-and-fuzzy crowd. It ef- 
fectively did its job. Did you? 

Martin Zinaich 

Lead systems analyst 

Tampa, Fla 


"Dealing With Oracle 


ONGRATULATIONS to Computer- 
world and IDG for standing up 
to Oracle’s hard-line tactics in 


| pulling its advertising [“The Power of 


You,” News Opinion, June 25]. The Or- 
acle Applications Users Group (OAUG) 
knows just what you’re going through. 

Last year, the OAUG membership 


| overwhelmingly rejected Oracle’s pro- 


posal that the OAUG fold its North 


| American conferences into Oracle’s 
| AppsWorld event. (Computerworld ran 


a terrific cartoon about the situation in 
the June 1 issue, illustrating OAUG 
selling hot dogs outside Oracle’s 
event.) Rather, the membership indi- 
cated that the OAUG should maintain 
its independence; continue producing 
its own independent, user-focused 
conferences; work collaboratively with 





Oracle; and actively involve Oracle in 
OAUG events. The OAUG then asked 
Oracle to provide 60 or so develop- 
ment staff to deliver roughly 55 “Ora- 
cle Directions” and Q&A sessions at 
the OAUG’s fall conference. Oracle has 
refused to provide even this minimal 
level of support. The OAUG is now 
surveying its membership to deter- 
mine how the user group should move 
forward. It will hold its fall conference 
in San Diego for four days, with or 
without Oracle’s participation — but 
we find it difficult to believe that Ora- 
cle will refuse the opportunity to listen 
to more than 4,000 of its customers. 
One wonders how long a vendor can 
stay in business when it so blatantly ig- 
nores the voices of its users. 

Laura Bray 

Communications manager 

Oracle Applications Users Group 

Atlanta 


HE PURPOSE of advertising is to 
promote a company, product or 
viewpoint for the benefit of the 


| advertiser. The selection of a particu- 


lar publication should be to reach a 
certain demographic — that publica- 
tion’s readership — not to reward the 
publication. Computerworld is to be 
applauded for its editorial indepen- 
dence. Oracle should evaluate its ad- 
vertising objectives and strategy. I 
hope that this was the subject of the 
meetings between IDG publishers and 


| Oracle representatives. 


R.K. Davis 
President 

Davis & Co. 
Boca Raton, Fla. 


How Palm Can Learn From History 


O ME, IT HISTORY suggests that 

Palm should run in binary mode, 

with two independent divisions 
[“Past May Dictate Palm’s Next Move,” 
News Opinion, June 25]. One would 
push software, and the other hardware, 
just like Sun, HP and IBM. Microsoft is 
moving slowly into hardware through 
keyboards, mice and gaming terminals 
and Compag into software through 
clustering. But Palm should avoid the 
IBM mistake of the early 1980s that led 
to the creation of Microsoft and Com- 
paq. It should get together with all the 
major PDA hardware manufacturers, 
create a standard architecture for these 
devices and use its lead in this area to 
develop along those standards. This 
will commoditize the hardware for 
PDAs and wireless devices, but the 
economies of scale that result will dri- 
ve wireless/PDA component prices 
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down and will create a huge worldwide 
market. Today’s PC makers are proof 
that standardization works. Palm Soft- 
ware, like Microsoft before it, would 
then ride the hardware success by writ- 
ing the best Palm OS for the standards, 


| selling it very cheaply to gain market 


share and making money on the up- 
grades and potential applications run- 
ning on top of the operating system. 
This way, the “integrator’s dilemma” 
becomes a synergy opportunity. 


| Athmane Nouiouat 


E-business solutions architect 
SAP America Public Services 
Foster City, Calif. 


Lawmaker Misconstrues Antitrust 
ICHARD ARMEY’S comment that 
“our antitrust laws should not 
be used to hold our most suc- 
cessful companies back to give the 
competition a chance to catch up” is 
absurd [“Appeals Court Reverses Mi- 
crosoft Breakup Order,” Computer- 
world.com, June 28]. The precise pur- 
pose of antitrust laws is to guarantee a 
level playing field for all. Companies 
that violate that principle pay a price. 
Larry Teitelbaum 
Manhattan Beach, Calif. 


Digital Copyright Law Isn't Cynical 
LEX TORRALBAS does a pretty 
good job of hitting on the reali- 
ty of the Digital Millennium 

Copyright Act [“Bad Legislation Opens 

Web to Corporate Lawyers,” News 

Opinion, June 18], but he omits the the- 

ory behind the act. He’s on target that 

the RIAA will say and do anything to 
keep its coffers stuffed. The theory be- 
hind the DMCA, though, was to ensure 
that the owners of the underlying 
copyrighted works receive fair com- 
pensation for their livelihood. 

Steven Rubenstein 

Antioch, Tenn. 


Vexed by Mind Games 


SING sophomoric miming 
tricks only perpetuates the 
problem of getting professional 


salespeople to visit your site [“Mes- 


sage to Vendors: Drop the Mind 
Games,” Security Manager’s Journal, 
June 25]. Certainly there are salespeo- 
ple who try “sales-school tricks” in an 
attempt to get an appointment or a 
sale, but to publish an article that en- 
ables this to continue is irresponsible. 
Harold Palmer 

Consultant 

Bloomington, Minn. 
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Trend Micro 


ScanMail for Microsoft Exchange 2000 


We're Trend Micro. We don’t do pictures. We do 


virus protection for your enterprise network. 


Like our ScanMail for Microsoft Exchange 2000. 
ScanMail technology works so well it won PC 
Magazine's Editors’ Choice Award for 

June 2001. It integrates flawlessly 

with Microsoft Exchange 2000 

Anti-Virus Scan API, so you get the 


ri 
right support when you need it. CHOICE 


Okay, so maybe the guy in the picture is an 
Exchange administrator who installed 
ScanMail. He's resting easy, knowing he made 
the right choice. 


Put ScanMail for Microsoft 
Solutions Award 


Reeceias 


Exchange 2000 in your 
picture. Call us at 1-800-238-9983 for full 
details on ScanMail and all Trend Micro antivirus 
solutions. Or visit our Web site at 
www.trendmicro.com/smex2000 


Be sure and visit us at Networld + Interop 2001, 
Georgia World Congress Center, Atlanta, Georgia, 
September 11-13th, Booth #7361 
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Finding 
Answers 


UCH AS I LOVE the 

Web, it has its weak- 

nesses. It’s hard to take 

on airplanes, for exam- 

ple, and reading any- 
thing really long can make your 
eyes cross. 

Print, on the other hand, is portable and easy on 
the eyes but isn’t so great if you need to dig for 
more detail or find answers to specific questions a 
story raises in your mind. 

That’s why we’re combining the two, in this first 
edition of our monthly In Depth special report. 
Each In Depth will focus on a specialty area readers 
have identified as important to them. 

In print, you'll find stories probing various as- 
pects of the topic, all tied to exclusive online stories 
that go into even greater depth, sidebars on related 
topics, research, and community activities designed 
to enhance the value of the information you get 
from Computerworld in print and online. 

All of that, plus other related Computerworld con- 
tent, will live at our enhanced In Depth sites at 
Computerworld.com, continually updated with 
news, opinions and new research links to help you 
keep up to date and focus your research on topics of 
interest to you. 

So you get the portability of print, the resources 
of the Web and input from your peers in Computer- 
world communities, served up in ways designed to 
be convenient. Let us know how it works for you. D 


Kevin Fogarty is Computerworld’s features editor. 
Contact him at kevin_fogarty@computerworld. 
com. 


MORE IN DEPTH STORIES 


™ Congress is changing the risk/reward equation 
with new security regulations. So is Europe, where 
they're really cracking down on online behavior 
that's tolerated here. 
@ ls XML just a big risk or a major advantage for 
| keeping transactions safe? 
| 1 Plus, information on tools you can use to set up traps for 
intruders, PKI nets for customers and where to find answers to almost 
| any question you have on how to stay secure and make money doing it. 
| .computerworld.com/securityonline 


As e-commerce becomes more important, SO | _caxguterwortn own commons 


Get advice from your peers, offer your own tips or post your opinion at: 
.computerworld.com/security 


does security — to control the risk and profits. | "™ 
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‘Though many firms are 
focused on preventing 
external breaches in com- 
puter security, the greatest 
threats often lurk within a 
company’s workforce. 

By Dan Verton 


I’S JANUARY 2000, and the world hasn’t imploded under 
the weight of the Y2k problem. Planes aren't falling out 
of the sky, and trains aren’t careening off their tracks. 
But in a few short months, Craig Goldberg’s start-up will 
come face to face with a more sinister threat that will 
take it to the brink of disaster: cybercrime. 

The CEO of Internet Trading Technologies Inc. (TTD, a 
New York-based technology subsidiary of stock trade regulator 
LaBranche & Co., had just completed a second round of fund- 
ing that helped fuel an expansion of the company’s IT staff. 
Within two months, Goldberg hired a half-dozen more soft- 
ware developers and tapped a CIO with 15 years of experience 

to take on the role of chief operating officer. 

Trouble lurked beneath the surface, how- 

ever. Two of the company’s software devel- 

opers approached ITTI’s new COO and de- 

manded that the company “pay them a lot of 
money or they will resign immediately and not provide any 
assistance to the development team,” according to Goldberg, 
who eventually succumbed to the demands. 

But that wasn’t enough for the two developers, who left 
the premises, demanded more money and stock options and 
threatened to let the development work founder. “It felt like 
we were being held up,” says Goldberg. Faced with the equiv- 
alent of a cyberhijacking, he refused to budge, and the devel- 
opers were dismissed. 

The first denial-of-service attack hit the next morning, a 
Thursday, and crashed the company’s application server. 
Somebody sitting at a computer in a downtown Manhattan 
Kinko’s had gained access to ITTI’s server using an internal 
development password. The server was brought back online, 
only to be hit again two minutes later, says Goldberg. Pass- ; 
words were changed, and development systems were air- {\ i 
gapped — physically disconnected — from the Internet. But 
the attacks continued through the weekend 

The situation soon became critical. “If the attacks contin- 
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ued to go on, we would go out of business,” Goldberg 
says. He called in a security consulting firm and the 
Secret Service. 

The last attack, which occurred Monday morning, 
hit as federal authorities were installing monitoring 
equipment on ITTI’s networks. Authorities traced 
the attacker to a computer at Queens College in 
Flushing, N.Y., where one of the former employees 
was a student. Witnesses placed the individual at the 
specific computer at the precise time of the attack. 
Within an hour, the Secret Service officials had their 
man. No evidence or charges were brought against 
the other former employee. 


Stress Points 

Experts agree that cybercrimes, such as the one 
perpetrated against ITTI, are often the result of a 
combination of factors that are unique to the modern 
IT workplace. Although most managers believe, as 
Goldberg says, that “security is both about risk man- 
agement and hiring honest people,” experts in crimi- 
nal psychology say the onus is often on managers to 
take action to prevent current and former employees 
from lashing out in the form of cybercrime. 

Jerrold Post, a professor of psychiatry at The 
George Washington University in Washington, devel- 
oped the “Camp David profiles,” which focus on un- 
derstanding the psychology of terrorism and political 
violence. They were developed for then-President Jim- 
my Carter. Post says cybercrime can be seen as a sub- 
set of workplace violence, where employees become 
frustrated but have no way to mitigate the stress. 

“In almost every case, the act which occurs in the 
information system era is the reflection of unmet 
personal needs that are channeled into the area of 


MORE IN DEPTH STORIES 
Access additional content, published exclusively online, at: 
www.computerworld.com/securityonline 
IN DEPTH RESEARCH ON CYBERCRIME 
& From the U.S. Department of Justice, on 
Computer Crime: Identity Theft: The Crime of 
the New Millennium, Sean B, Hoar (March 2001) 
™ Federal Criminal Code Related to Computer 
Crime: 18 U.S.C. § 1029. Fraud and Related Activity in 
® Critical Infrastructure Protection Resources: Privacy Laws 
and the Employer-Employee Relationship, A Legal Foundations Study. 
1 Plus other links at: 
www.computerworld.com/securitylinks 
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www.computerworld.com/security 





IN DEPTH 


expertise,” says Post. “Almost all of these people are 
loyal at the time of hiring, so this isn’t a matter of 
screening them out.” 

Post acknowledges that only a small percentage of 
IT workers who share a common set of personality 
traits actually commit crimes. However, for those 
who do become cyberoffenders, their actions are 
often the result of not having skilled managers who 
can alleviate workplace stressors, he says. 

Post suggests several approaches that managers 
can take to both identify and alleviate those stressors 
for employees, including providing more distinct 
career paths. He also says managers need to acquire 
better leadership skills to help people feel like they 
really matter to an organization. 

Bill Tafoya has spent the better part of the past 
25 years profiling criminals. A former special agent 
at the FBI and now a professor of criminal justice at 
Governors State University in University Park, IIL. 
Tafoya says many IT workers today sometimes feel 
browbeaten by their employers. 

“Most of the time, however, they merely become 
cynics who infect co-workers with their misanthropic 
view and undertake career-long, one-person work 
slowdowns,” he says. 

Managers often mishandle difficult situations, he 
says. “In some organizations, when personnel falter 
and are subsequently disciplined, the records depart- 
ment is a favorite reassignment [that] management 
uses for purposes of punishing the miscreant,” Tafoya 
says. “I ask you, who is being punished?” Career paths 
need to be developed for IT personnel who handle a 
company’s crown jewels — its information, he adds. 

Obviously, not all cybercrimes occur as a result of 
frustrated employees. Many computer security 
breaches are the acts of dishonest people who crack 
into systems from the outside using the Internet. 

Sometimes, they get a little indirect help from un- 
suspecting employees. 

In February, a major bank in the Northeast whose 
name is being withheld for security purposes discov- 
ered that unauthorized purchases were being made 
on the Internet using its customers’ information. The 
bank called the Emergency Response Team (ERT) 
at Internet Security Systems Inc. (ISS), an Atlanta- 
based security firm. After 131 hours of forensics pro- 
cessing, both ISS and bank officials suspected that a 
mole in the company was helping the attacker. 

“The client was convinced there was a collabora- 
tor and was ready to terminate a number of individu- 
als, as well as contractors,” said Allan Fideli, director 
of the ERT and the former chief of worldwide securi- 
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ty at IBM. However, Fideli and another analyst even- 
tually narrowed down the perpetrator to a contractor 
in Europe who had stolen passwords from his mother- 
in-law, who was an employee of the bank. 

Scott Christie, an assistant attorney at the U.S 
Attorney’s Office for the District of New Jersey in 
Newark, says a lack of oversight is a key enabler in 
many cybercrime cases. 

“Without any oversight, [criminals] can do what 
they want without fear of being caught,” says Christie. 

Richard Hunter, an analyst at Stamford, Conn.- 
based Gartner Inc., says management inattention can 
be a contributing factor. “Some managers are inatten- 
tive to the point that they do not even check résumés 
for people being hired into positions where sensitive 
data is available,” says Hunter. 

Although Post acknowledges that the majority of 
hackers are little more than garden-variety criminals, 
the world of cybercrime does have its share of Lee 
Harvey Oswalds, he says. The most recent example 
is Abraham Abdallah, a 32-year-old Brooklyn busboy 
who in March managed to pull off the biggest Inter- 
net identity heist in history by stealing the online 
identities of 200 of the richest people in America 

There is little difference in motivation between 
criminals like Abdallah and Oswald, says Post. “To 
steal somebody’s identity is to escape from one’s 
place of insignificance. It’s a special species of assas- 
sination,” he says. 

For Tafoya, the assassination metaphor goes too 
far. “Those who have been so victimized see the theft 
of their identity as more akin to rape,” he says. 

According to ITTI’s Goldberg, however, cyber- 
crime is about greed. “We talked and negotiated in 
good faith, but at a certain point in time, it becomes 


extortion,” he says. D 
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Many see XML asa miraculous way to integrate 


the Web and back-end data. But few r 


»alize how 


powerful a force they’re letting through the fire- 
wall and how big the risk is from hackers who 
write hostile code disguised as HTML 


By Deborah Radcliff 


UST WHEN YOL 

forces of the W eb were ‘finally getting man- 
ageable, along comes multidimensional 
data. We're talking XMI 
data from many sources for many destina- 


, which unlocks 


tions as no markup language has 
done before. 

But this new way of handling data also 
opens up new security vulnerabilities. Al- 
ready, IT managers are bracing for a new on- 
slaught of malicious code, data hijacking, viruses, 
graffiti, defacements and buffer overflows. 

XML is spreading to back-office systems, business 
exchanges and wireless applications. In the next two 
years, XML will be used on more than 50% of Web 
sites, according to some researchers. 

Even two years ago, companies like Marriott Inter- 
national Inc. had begun making their back-office ap- 
plications more extensible through XML. And pro- 
gressive businesses like ETrade Group Inc. and Alas- 
ka Airlines are now announcing wireless trading and 
reservations through XML-based systems built by 
companies like Everypath Inc., a mobile application 
framework vendor in San Jose. 

Unlike HTML, XML can link an unlimited combi- 
nation of data types by tagging them with a standard, 
machine-readable ianguage to define each piece of 
data and determine what it does. 

For example, XML can be used to dynamically link 
inventory data stored in an arcane format in a back- 
end database with specific spreadsheet columns that 
allow customers and partners to slice and dice num- 
bers in real time. 

Developers can use XML to create interactive Web 
sites by dynamically linking the data stored in their 
systems or from anywhere in the public domain. 

XML is the basis for an emerging consumer priva- 
cy framework called Platform for Privacy Prefer- 
ences, introduced by Microsoft Corp. and several 


small vendors this year. And XML shows promise of 
finally making public-key infrastructures and digital 
signatures interoperable. 
But XML has a dark side. ° 
of these data sets and dynamic links open up a whole 


The powerful capabilities 


new can of security worms because the code 
defined by XML tags can carry virtually any 
payload through the firewall unchecked. 
Simply put, firewalls and filters trust that 
the XML tags are honest descriptors of the 
code they define, so malicious XML code could get a 
free ride into almost any organization. 


Too Much Trust? 


The World Wide Web Consortium (W3C), whose 
members are mostly technology and telecommunica- 
tions vendors, denies any suggestion that XML opens 
up new security problems. “XML is just a markup ... 
used to convey information and build applications,” 
says Joseph Reagle, a policy analyst at the W3C. 

But as with other languages that support exe- 
cutable code, the problem is what developers do with 
XML. “How you convey information and build appli- 
cations will, of course, 
Reagle. 

It’s this model of trusting developers to do the 
right thing with XML that worries IT professionals. 

“Trust is the darned key to all of this,” 
Luzwick, director of information assurance architec- 
ture at Herndon, Va.-based Logicon Inc., an IT com- 
pany owned by Los Angeles-based Northrup Grum- 
man Corp. “There’s no control of the input in an 
open XML environment unless you could somehow 
check wrappers | tags], but that’s cumbersome. .. . 
There’s no way to say that metadata in the tags rep- 


have security concerns,” says 


says Perry 


resents what it says it does.’ 

It’s too early to tell how widespread XML-enabled 
exploits will be in the next few years. So far, exploits 
are rare because there’s no XML on the client end 
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yet, says Ryan Russell, incident analyst at security in 
telligence firm SecurityFocus Inc. in San Mateo, 
Calif. But Internet Explorer has a heavy XML feature 
set in V6.0, to be released later this year. 

Payet Guillermo, chief technology officer at Ocean 
Group, an Internet engineering firm in Santa Cruz, 
Calif., says the first wave of XML attacks will resem- 
ble malicious code attacks conducted in HTML, 
more than 40 of which are listed on the advisory 
pages of the Pittsburgh-based CERT Coordination 
Center. “Just as there are a bunch of browser exploits 
that use malformed HTML and Java to crash your 
browser or take control of your machine, we'll proba- 
bly see the same types of attacks aimed at XML 
parsers ... and the applications using the parsed 
data,” says Guillermo. 

Text-based attacks will also re-emerge, predicts 
Dan Moniz, a research scientist at peer-to-peer appli- 


cation developer OpenCola Ltd. in Toronto. 


A text-based attack is accomplished by inserting 
complicated data streams — symbols, numbers and 
characters — anywhere in applications, including 
buffers, or Web addresses. Until XML, text-based at- 
tacks were successfully filtered. But the XML frame- 
work introduces a more complex character set rou- 
tine, Unicode, to facilitate more complex data typing. 
Unicode uses 16-bit character sets instead of ASCII’s 
eight bits. 

In May, the first Unicode text-string exploit 
(against Microsoft's Internet Information Servers) 
was posted on CERT’s advisory pages (Vulnerability 
Note VU#I111677). 

“In Unicode, there are an infinite number of ways 
to say something. So programs that block bad code 
can’t work with Unicode, because they can’t think of 
all the ways the bad code could be written,” says 


When do you plan to use XML 
to publish your Web site? 


PERCENTAGE OF PROGRAMMERS USING XML 


The Threat 
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The Problem With Power 


According to Peter Lindstrom, an analyst at Hurwitz Group, the power of XML comes from its flexibility and 
extensibility paired with its semantics and structure. But these same elements, he contends, also cook up new 
security issues. In a white paper entitled “Introduction to XML Security” (June 2001), Lindstrom cites 

four recipes for XML disaster. Here are those risks and ways to defend against hostile XML executables: 


DATA SHARING The “cookbook” approach to data 
sharing - one that involves many ways to share data - 
makes it difficult to validate the source of every piece of 
information and the accuracy of the information itself 


DATA LINKING Presenting data in the form of links via 
Web addresses overextends security mechanisms 


TRANSPORT Firewalls won't stop XML, regardless of 
the application that’s using it 


STRUCTURE Even though XML instances can look ex- 
actly alike, they can be different under the covers. Place- 
ment of tags, use of white spaces and other style 
tweaks can introduce new ambiguities to the data sets. 


Bruce Schneier. In July of last year, Schneier, founder 
and chief technology officer of Counterpane Internet 
Security Inc. in Cupertino, Calif., published a white 
paper predicting an onslaught of text-based attacks 
exploiting the Unicode character sets. “Unicode is 
just too complex to ever be secure,” he adds. 

Indeed, protecting against any new XML-based at- 
tacks won’t be easy because there are no checks to 
verify such complex data streams being pushed or 
pulled into business networks. 

Don’t count on filtering to help. Firewalls won't 
check XML-embedded data. And XML-encoded at- 
tack signatures won’t show up in audit logs, says 
Dark Tangent, a white-hat hacker and organizer of 
the annual Def Con security conference for hackers 
in Las Vegas. 


Safety in Standards 


About the only thing IT professionals can do 
at this early stage is minimize their own devel- 
opment risks. The best bet is to carefully follow 
XML development standards and protocols com- 
ing from the Internet Engineering Task Force 
(www.IETForg), the W3C (www.W3.org), vertical in- 
dustry groups and vendor-developed frameworks 


Don’t trust inbound data. 

® Check data sizes on input 

@ Test untrusted XML-wrapped executables in a 
“sandbox” - a sep ea of the network - 


nake sure the code isn t malicious 


Set up a local store of Document Type Declara- 
tions (DTD) either at or near the firewall and 
keep it updated like you would virus signatures. 
DTDs are XML syntax-based data describers that will 
likely be linked to you from other sources. If these DTDs 
were altered outside your network, a local DTD store 
would notice a conflict and stop the process, says Dan 
Moniz, a research scientist at OpenCola Ltd. in Toronto 


like Everypath’s, advises Peter Lindstrom, a security 
analyst at Hurwitz Group Inc. in Framingham, Mass. 

And remember, you're not the only one trying to 
make sense of the XML paradigm. Even those in the 
know, like John Goeller, director of electronic trading 
at Credit Suisse First Boston in New York-and chair- 
man of a financial services XML working group, are 
struggling with more than a dozen XML protocols to 
come up with a universal standard suitable for finan- 
cial trading applications. 

Growing pains like these are common with all 
emerging technologies, says Dark Tangent. There’s 
no way to know how the exploits will hit or when be- 
cause programs support XML differently than they 

do HTML, he says. “It will take time for 
XML developers to get XML integrated 
correctly,” he says. D 


MORE IN DEPTH STORIES 
® XML is more than just a threat. It can also be a way 
to make secure e-commerce work using digital 
certificates. 
™ Check out more on XML, its uses, defenses against it. 
and how to use it to your own advantage. 
www.computerworld.com/securityonline 
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Top 10 
Security 


Mistakes 


You may not be able to prevent 
serious break-in attempts, but you 


can at least avoid leaving your doors 
open at night. By . 


EOPLE REGULARLY LOCK 
their houses, demand 
airbags in their vehicles 
and install smoke alarms in 
their homes. But put them 
in front of a computer, and 
you'd think the word security 
was magically erased from 
their brains. People are more 
careless with computers than 
perhaps any other thing of val- 
ue in their lives. The reason is unclear, 
but observers agree that end users — 
and even some IT departments — can 
be pretty dumb when it comes to pro- 
tecting computers and their contents. 
The following are some notable, less- 
than-bright errors that people and IT 
professionals commit when it comes to 


computer security: 


The not-so-subtle Post-it Note. Yes, 

those sticky yellow things can 
undo the most elaborate security 
measures. Too lazy to remember their 
passwords, users place them where 
they — and everyone else — can see 
them: stuck to the front of their moni- 
tors. Lest you think this is so obvious 
it’s uncommon, Garrett Grainger, vice 
president of information systems at of- 
fice supply manufacturer Dixon Ticon- 
deroga Co. in Heathrow, Fla., estimates 
that of his several hundred end users, 
15% to 20% regularly do this. 


\lan S. Horowitz 


We know better than you. You may 
think that certain security mea- 
sures are necessary, but not all end 
users agree, which leads them to do an 
end-run around you. “People blithely 
turn things off they think have a good 
reason to bypass,” notes Frank 
Clark, network operations cen- 
ter manager at Thaumaturgix 
Inc., an IT consulting firm in 
New York. “Antivirus software 
is an example. They think it slows 
down their machine.” 


Leaving the machine on, unattended. 
Dan Bent, CIO at Benefits Systems | 


Inc. in Indianapolis, says he’s amazed 
at the number of users who leave their 
machines on, without protection, and 
walk away. Who needs a password? 


Opening e-mail attachments (remem- 
ber the Love Bug virus?) from 
mere acquaintances or even strangers. 

This one drives IT managers nuts. 
“Users open all their e-mail attach- 
ments before thinking,” says Marie 
Phillips, manager of information se- 
curity services at Amerisure Mutual 
Insurance Cos. in Farmington Hills, 
Mich. “We tell them to be careful 
about opening notes and attachments 
from strangers or when they get the 
same notes from several people, even 
those they know.” 





Poor password selection. If there’s a 

bugaboo among security experts, 
it’s poorly chosen passwords. Ken Hill, 
vice president of IT at General Dynam- 
ics Corp. in Falls Church, Va., recently 
attended a demonstration with about 
20 of his top engineers and some anti- 
hacking experts from NASA. Within 30 
minutes, the NASA folks broke 60% of 
the engineers’ passwords. Paul Raines, 
global head of information risk man- 
agement at London-based Barclays 
Capital, recommends that users take a 
common phrase and use its initials for 
a password. For example: “I pledge alle- 
giance to the flag” becomes “ipa2tf.” 
“That’s a difficult password to break 
because it’s a combination of letters 
and numbers,” says Raines. 


Loose lips sink ships. Clark says 

people often talk in public places 
about things they shouldn’t. “They will 
say at a bar, ‘I changed my password 
and added the number 2,’ and someone 
sitting two stools down hears this. 
Some things you just shouldn’t talk 
about outside the office environment,” 
says Clark. 


Laptops have legs. Everyone knows 

how common it is for laptops to 
be stolen in public places, but Jay 
Ehrenreich, senior manager at Price- 
waterhouseCoopers in New York, says 
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it’s surprisingly common for a person 
to leave his laptop in his office, unse- 
cured and unattended, and in full view 
of passersby. “These things walk,” he 
warns. Users should place their laptop 
securely out of sight, such as in a 
locked desk drawer. 


Poorly enforced security policies. 

The best-designed security plans 
are useless if IT fails to rigorously 
enforce them. “If these things aren’t 
enforced by the system, then the policy 
isn’t useful,” notes Chris Smith, vice 
president of computer information 
systems at EasCorp, a Woburn, Mass.- 
based provider of wholesale financial 
services to the credit union industry. 


Failing to consider the staff. “Your 

greatest [security] threat is from 
in-house,” says Hill. Disgruntled em- 
ployees and others can cause enormous 
problems if they’re not properly moni- 
tored. IT departments should do a 
good job monitoring incidents and have 
the forensics capabilities to be able to 
follow problems to their sources. 


Being slow to update security in- 

formation. “One thing we see all 
the time is that service packs are not 
kept up-to-date,” says Ehrenreich. This 
creates a window of opportunity for 
hackers. D 
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With a European com- 
puter security treaty 
ready for ratification, 

IT managers in the U.S. 
had better concern them- 
selves with liability and 
protection issues. 
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By Deborah Radcliff 


NFORMATION TECHNOLOGY man- 
agers fear that the Council of Eu- 

rope’s final draft of a controversial | 
cybercrime treaty, which was ap- 


Peeni oor sroces 


proved by the council’s European 
Committee on Crime Problems 
last month, will affect their businesses 
from both a liability and a security per- | 
spective. 
But before getting all worked up 
over liability issues, American IT lead- | 
ers need to remember that Eu- 
ropean nation-states are behind | , 
the U.S. in terms of cyberlegis- 
lation and law enforcement, ex- 
plains Martha Stansell-Gamm, 
chief of the Computer Crime and Intel- | 
lectual Property Section at the U.S. De- 
partment of Justice (DOJ). Stansell- 
Gamm was the DOJ’s representative in 
the drafting of the treaty. The U.S. par- 
ticipated because it has observer status 
within the Council of Europe. z 
We already have many treaties — bi- | - REET TW aa Nlaall eR eee aeRO cera ne eee eat 
lateral and multilateral — on law en- ae : f ey , 
* : are international cyberinvestigations, says the DOJ’s Martha Stansell-Gamm. 
forcement matters like extradition, mu- 
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tual assistance, money laundering and 
corruption,” she says. “An awful lot of 
what’s going into this treaty is not new; 
this just combines technology and 
criminal law and international law.” 

Just as in other international law 
enforcement pacts, the primary ob- 
jective of the treaty is to break the 
bottlenecks in international cyberin- 
vestigations, says Stansell-Gamm. 

For example, if the Philippines had 
the laws in place to become a signatory 
to the treaty, the creators of the “I Love 
You” virus may have been brought to 
trial there. But at the time, the Philip- 
pines had no laws addressing comput- 
er crime, and the U.S. had no treaty 
agreement with Philippine authorities 
to continue the investigation, so the 
virus writers were never charged. 

“We want to avoid the situation 
where U.S. networks are being pound- 
ed from overseas and we can’t do any- 
thing about it,” Stansell-Gamm says. 

Until now, domestic law enforce- 


ment agencies have been in a quandary | 


over international cyberinvestigations. 
They’ve tried everything from training 
foreign authorities to luring a cracker 
from Russia to the U.S. and then trac- 
ing his cybertracks back to his server 
lair and downloading the contents of 
that server. 

Yet despite the hope that the treaty 
will improve the ability of U.S. corpo- 
rations to press criminal charges 
against foreign attackers, the American 
business community is concerned 
about a number of substantive laws 
that treaty participants must enact if 
they want to be signatories. In particu- 
lar, U.S. firms are concerned about the 
following potential problems: 

g Increased corporate liability. 

= Granting too many investigative 
powers, to the detriment of corporate 
privacy. 

w Making the distribution and sale of 
hacking tools illegal. 

Among these concerns, the one 
voiced loudest by corporate managers 
is the potential impact for businesses 
that use hacking tools to test the 
stealth of their networks. “Ping could 
be a hacking tool. TraceRoute [a tool 
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IN DEPTH RESEARCH 
® See more about the treaty, including 
the actual language, discussions 
from European signatories and 
private-sector discussions. 


™ See privacy advocates’ 
evaluation of U.S. companies’ 
preparation for the treaty and 
the impact the treaty will have on 
international business. Cyber- 
crime links are at: 
www.computerworld.com/securitylinks 
COMPUTERWORLD ONLINE COMMUNITIES 
Get advice from your peers, offer your own tips or 
post your opinion at: 
www.computerworld.ccm/security 


used for IP tracking] could be a hack- 
ing tool. How do you define a hacking 
tool?” asks Frank Clark, network opera- 
tions manager at Thaumaturgix Inc., a 
hosting and IT services firm in New 
York. “The people making these laws 
don’t know what a hacking tool is. And 
to outlaw the wrong tools could make 
it impossible for me to do my job test- 
ing my network.” 

Mark Rasch, vice president of cyber- 
law at Predictive Systems Inc., a tech 
consultancy in New York, says such re- 
strictions could also violate First 
Amendment rights to free speech. 

This particular concern isn’t being 
driven by the language in the treaty 
document itself, but in a preamble 
press release published when the draft 
first went online in April 2000. The re- 
lease stated, “The draft provides for the 
co-ordinated criminalisation of com- 
puter hacking and hacking devices,” 
without going into further detail. 

“The real problem we have is the 
document doesn’t address intent,” says 
Lisa Norton, an attorney for Internet 
Security Systems Inc. (ISS) in Atlanta. 
Norton lobbied against the outlawing 
of hacking tools because such laws 
could put tools vendors such as ISS out 
of business. 

Fortunately, both the April and De- 
cember 2000 treaty drafts clearly state 
that hacking tools are illegal only if 
used “for the purpose of committing 
offences established in Articles 2-5” 
(see list at right). The December treaty 
draft includes additional provisions al- 
lowing legitimate use of hacking tools 

Other IT professionals who have 
carefully read the document say they 
feel that the treaty clearly addresses 
the issue of intent and the legitimate 
use of hacking tools. “I spent 15 years as 
an attorney, and I do know ambiguous 
language. This [treaty draft] is some- 
thing we're comfortable with,” says 
Mitch Demblin, program director for 
the cyberattack team at Exodus Com- 
munications Inc. in Santa Clara, Calif. D 


The European 
ybercrime ‘Ireaty 


The 29-page Draft Convention on Cyber-crime (http://conventions.coe.int/treaty/ 
EN/cadreprojets.htm) is an international law enforcement treaty draft 
spearheaded by the Council of Europe that attempts to define cybercrime 
and attach substantive criminal penalties. As a potential signatory to the 
treaty, the U.S. has participated in its drafting through the Commerce and 
Justice departments. U.S. corporate interests have been represented in 
treaty development by meeting with the U.S. contingent over the past year. 


FACTS ABOUT THE TREATY 
As of May, there were 25 versions of the draft 
European legislative work in the area of cybercrime a 
The treaty should be ready to ratify by the end of th 
The U.S., along with eight other nations, including 
been invited to be a signatory to the treaty on 
To be a signatory, a country must first apply it 

® Articles would regulate: 
Illegal access 


lllegal interception of 
electronic communications 


22220 


Data interference 
System interference 


Q> 


Misuse of devices 
The rest of the document covers proce 
jurisdiction, extradition and information-sh 
This is the first time the Council of Europe has 
scrutiny by posting it on the Web 
On June 22, the cybercrime treaty was adopted by 
it. It's now being conveyed to the 43 member natio 
which will decide on ratification by the end of the year 
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ARTICLE 6 - MISUSE OF DEVICES 


@ Each Party shall adopt such legislative and other measures as may be necess< 
establish as criminal offences under its domestic law, when committed intentiona 
without right 

a. the production, sale, procurement for use, import, distribution or otherv 
making available of 
1. a device, including a computer program 
the purpose of committing any of the offen 
Article 2-5 


2. a computer password, access code, or similar data by which the whole 
any part of a computer system is capable of being accessed with intent (13 
that it be used for the purpose of committing any of the off S h 
in Articles 2-5; and 

b. the possession of an item referred to in paragraphs (a)(1) or (2 

that it be used for the purpose of committing any of the e 

Articles 2-5. A Party may require by law that a number of such items 

before criminal liability attaches. 

23 This article shall not be interpreted as imposing criminal liability where the product 
sale, procurement for use, import, distribution or otherwise making available or 
possession referred to in paragraph 1 of this Article is not for the purpose of committing 
an offence established in accordance with articles 2 through 5 of this Conventior 
as for the authorised testing or protection of a computer system 

8 Each Party may reserve the right not to apply paragraph 1 of this Article, prc 
reservation does not concern the sale, distribution or otherwise making availab 
items referred to in paragraph 1 (a) (2) 


or adapted prima 
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Intrusion detection 

systems are getting 

smarter, but sorting 

real attacks from false 

alarms takes planning. 
v Steve I ifelder 


1) 
i) \ AA VG ALS 


ICICI 


HEN ECAMPUS.COM first installed an 

intrusion-detection system (IDS), the 

alerts were unnerving. “For the first 

few attacks, we came unglued. We 

said, ‘We'd better sit in front of those 

monitors all day,” says Brent Tuttle, 
chief technology officer at the Lexington, Ky.-based 
college supplies retailer and online community. 
rhat’s not an uncommon reaction, users say, because 
the sheer number of alerts can be overwhelming. 

Although an IDS should be part of any enterprise’s 
security toolbox, users and analysts stress that the 
technology is no panacea. Because such systems are 
reactive by nature, they’re always one step behind 
attackers. False positives can cause unnecessary 
scrambling, while the signature updates that make 
an IDS effective against new attacks aren’t frequent 

enough, users say. And as Ecampus. 
com discovered, implementing an 
IDS suddenly increases the aware- 
ness of access attempts — although 
many may be harmless. 

Managers should create notification and escalation 
policies that answer the question: Now that we’ve 
got all this information, what are we going to do 
with it? In an effort to ease this burden, vendors are 
developing smarter, more active systems that ignore 
harmless threats and have decision-support mecha- 
nisms that let users respond to the serious ones. 

It’s critical to define an instant-response policy 
before firing up the IDS, users say. These policies 
lay out how to respond to different types of attacks, 
including the people to notify and in what order. 

Tuttle says Ecampus.com had two top priorities in 
mind when it shopped for an IDS. It needed to be ef- 
fective against students, who have plenty of free time, 
and it needed to be automated so the IT staff could 
focus on other tasks. The firm settled on Intruder 
Alert from Symantec Corp. in Cupertino, Calif. 

After a few months of overreacting to false posi- 
tives, Tuttle called in Symantec consultants, who 
educated the staff on which attacks were significant 
and those that weren’t, until he had “a comfort level 
that we were locked down as tight as we can be,” 
Tuttle says. 

Ecampus.com also “developed an escalation policy 
so that if there’s a [denial-of-service attack] or a 
server down, the first calls go to the responsible 
engineers, then I’m notified,” Tuttle says. 

An IDS can free up staff time and eliminate some 
drudgery, but sometimes there’s no substitute for the 
human eye. That lesson was recently brought home 
to John Steensen, vice president and chief technical 
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officer at Intira Corp., a Pleasanton, Calif.-based 
infrastructure outsourcer that counts among its 
customers the online community Military.com. 
In April, when pro-Chinese attacks beset U.S. 
businesses, “Military.com’s load went from 4% to 


74% [of capacity],” Steensen says. The traffic increase 


didn’t trigger any IDS alarms, but an Intira network 
engineer “saw it just didn’t look right” and notified 
Military.com, he says. For businesses where securi- 
y is critical, hiring and retaining skilled staff makes 
sense. “We know attacks are going to happen no mat- 
ter what the technology,” Steensen says. “You still 
need a good human being behind [the IDS].” 

Enterprise IT departments are increasingly using 
hybrid systems — a combination of network- and 
host-based tools. A network-based IDS detects 
attacks upfront, according to Michael Rasmussen, a 
senior analyst at Giga Information Group Inc. in 
Cambridge, Mass. “It’s especially good at scans 
around the perimeter,” he says. A host-based system 
detects changes to an individual server’s hard drive 
and thus serves as a backup to a network-based IDS. 
They also catch internal abuse, which is statistically 
more likely than an external attack. 

Intira uses Symantec’s Intruder Alert as its host- 
based IDS on each server, with the network-based 
Cisco Secure IDS from Cisco Systems Inc. “We 
deploy inside and outside the firewall so we can see 
all port scans and attacks,” Steensen says. 

Because Intira’s staff interprets attacks, Steensen 
says, the company makes little use of automatic shun- 
ning, a popular IDS feature that can block addresses 
associated with malicious activity. On the other 
hand, “if you’re running an unattended operation, 
you'd want to configure [your IDS] to be more 
automatic,” and shunning makes more sense, he 
says. But while organizations that shun traffic 
require fewer staffers to monitor the IDS, they 
may inadvertently turn away legitimate users. 

In both staffing and technology, using an IDS is 
a balancing act. On the technology side, new IDS 
users often “turn the volume way up, then catch too 
many false [positives ] — then turn the squelch 
down to zero” — and attacks slip through, says Peter 
Lindstrom, an analyst at Framingham, Mass.-based 
Hurwitz Group Inc. 

Analysts and vendors say future systems will 
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include better user interfaces and features to help IT 
managers sort the false alarms from the true threats. 
Vendors are already beginning to address another 
issue: more automated and timely signature updates. 
Cisco recently started pushing signature updates out 
to users of its Secure IDS product. 

Atlanta-based Internet Security Systems Inc.’s new 
release of RealSecure bundles traditional network- 
and host-based IDS tools with the blocking of active 
content (such as executable e-mail attachments) and 
malicious-code-scanning software with a single in- 
formation-user interface. 

Analysts say that vendors must also improve their 
IDS performance. Such systems are an enterprise’s 
first line of defense and make tempting targets for 
would-be intruders. Rasmussen says IDS-specific 
attacks have gained in popularity during the past 
year. One method attackers use is to swarm the sys- 
tem with false positives in the hope that exasperated 
security personnel will shut off the IDS. 

Rasmussen adds that in denial-of-service attacks, 
most detection systems “fail-open” — that is, they 
stop functioning but don’t shut down the rest of the 
network, leaving the network vulnerable. 

Ultimately, IT managers should view an IDS as an- 
other security tool whose value correlates to the wis- 


dom and resources with which it is used. As Jeff Us- 


lan, director of information protection at Los Ange- 
les-based Sony Pictures Entertainment says, the key 
to IDS is “not what it’ll detect, but how you'll use it.” D 


Ulfelder is a freelance writer in Southboro, Mass. 
Contact him at sulfelder@charter.net. 


MORE IN DEPTH STORIES 
® Outsourcing IDS: |t requires less investment up- 
front, but it may not be less expensive in the long run. 
And trusting a third party requires a leap of faith. Is it 
for you? 
®IDS products can cost from several hundred to many 
thousands of dollars. Our online summary of IDS products 
and pricing gives you the basics. 
www.computerworld.com/securityonline 
IN DEPTH RESEARCH ON INTRUSION DETECTION 
® This influential paper by Thomas Ptacek lays out all the flaws of 
IDSs and sent vendors scrambling to address them. Have you read it 
yet? www.cw.com/securitylinks. 


An Ounce 
Of Intrusion 
Prevention 


Host-based IDSs tend to rely on signatures - the cc 
string fingerprints of a known attack — to trigger alerts 
The trouble is, hackers create new attacks every dé 

If they attack an organization using a tec 

not in the database of the IDS, the company is vulnera 
ble. In response, vendors are offering products that lo 
for suspicious activity and proactively block those p 
tential attacks. Here's a sampling of offerings. 


= Entercept Security Technologies 

San Jose 

(www.entercept.com) 

Entercept Security Technologies’ Entercept 2.( 
consists of a software agent that resides near the 
operating system kernel. It monitors system calls before 
they reach the kernel, uses a rules engine to identify 
potentially suspicious activity and then either halts the 
activity or notifies the administrator 


= Recourse Technologies Inc. 

Redwood City, Calif 

(www.recourse.com) 

Recourse Technologies Inc. offers ManHunt, whict 
performs the duties of a traditional IDS and uses an ap 
proach similar to Entercept’s to identify new attacks 


The drawback: Some legitimate activities in an 
organization may trip these systems. The staff will 
then need to define exceptions. Otherwise, the organi- 
Zation could wind up suffering too many false positive 

“These things are good for big hosting facilities 
telcos and maybe financial [services firms],” says Hur 
witz Group analyst Peter Lindstrom, because security 
is so vital to such organizations and attacks are so 
common 

- Steve Ulfelder 


Alarm? 
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Deadly 
Pursul 


Computers are playing a major 
role in an increasing number of 


real-world crimes 


, fueling aneed 


for investigators with strong tech- 
nology skills. By Zachary Tobias 


OUTH DAKOTA,1999. A 
woman is found drowned 
in her bathtub. An autopsy 
shows a high level of the 
sleeping pill Temazepam 
in her bloodstream. 

It looks like a suicide — that is, until 
investigators take a close look at her 
husband’s computer. Turns out he’s 
been researching painless killing meth- 
ods on the Internet and taking notes 
on sleeping pills and household clean- 
ers. Armed with that evidence, prose- 
cutors are eventually able to put him 
behind bars. 

Law enforcement agencies across 
the country are realizing that comput- 
er-related evidence is valuable in 
catching all kinds of criminals, not just 
hackers. 

That's why they’re scrambling to 
hire and train officers skilled in com- 
puter forensics, the discipline of col- 
lecting electronic evidence. 

In the corporate world, demand for 
these IT sleuths is increasing, as well. 
They usually work as consultants. For 
example, a company might call a foren- 
sics examiner in to investigate how a 
hacker got into an IT system or to find 
out which employee walked off with 
confidential files. 

But whether he works for law en- 
forcement or the business world, a 
computer forensics examiner must be 


able to thoroughly scour an IT system 
for evidence while following a strict 
protocol, so that the evidence can be 
used in a court of law. 

We talked to one forensics examiner 
with exactly that set of skills — the 
kind of employee who’s sure to be in 
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| high demand in both worlds for years 
| to come. 

The investigator: Patrick Lim, com- 
puter forensics examiner at the Re- 
gional Computer Forensics Laboratory 
(RCFL) in San Diego 

Previous experience: Lim has been a 
| special agent at the Washington-based 
U.S. Naval Criminal Investiga- 
tive Service (NCIS) for the 
past 17 years. But it was only 
about four years ago, when he 
was transferred to the NCIS’s 
Computer Investigations and Opera- 
tions unit, that his career took a turn 
into the world of IT. 

In January of last year, Lim helped 
launch the RCFL, a task force that 
pools the computer forensics re- 
sources of several law enforcement 


| agencies in the San Diego area. 

Lim says all examiners at the RCFL 
must have strong investigative and 
problem-solving skills, as well as a sol- 
id foundation in operating systems and 
computer imaging. 

Responsibilities: Lim spends much 
of his time working on cases that 





directly involve computers, like 
child pornography on the Web or 
Internet fraud. Increasingly, though, 
all kinds of cases involve computers, 
he says. “In the past, people thought 

| that computer forensics applied strict- 
ly to computer crimes,” says Lim. “But 


since computers are now such a part of 


everyday life, we’re finding that almost 
| every crime at some point touches a 
computer.” 
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For example, at the site of a bank 
robbery, investigators recovered de- 
mand notes that were written using a 
notepad application. Examining one 
suspect’s computer, Lim found that the 
thief had been careful to delete the 
files. Looking deep into the hard drive, 
however, Lim was able to find copies 

of the notes that were automat- 
ically made by the printer. 

No matter what the nature 
of the case, it’s essential to 
leave all of the evidence exact- 

ly as it was found — “just like a crime 
scene,” says Lim. For that reason, 
forensics examiners never work di- 
rectly on suspects’ computers. Instead, 
they use computer imaging to make a 


| complete bitstream copy of an entire 


machine, and they then comb the copy 
for whatever incriminating evidence 
they can find. D 


Tobias is a freelance writer in Santa 
Cruz, Calif. 


MORE IN DEPTH STORIES 
® Advice from former Air Force 
regional crime investigator 
Jose Granado on howto 
launch a private-sector career 

in computer forensics. 
@ And see our chart on top-paying 

regions and industries for IT security 
professionals. 
www.computerworld.com/securityonline 
COMPUTERWORLD ONLINE COMMUNITIES 
Get advice from your peers, offer your cwn tips or 
post your opinion at: 
www. 


Profile 


NAME: Patrick Lim 

TITLE: Computer forensics examiner 
ORGANIZATION: Regional Computer 
Forensics Laboratory, San Diego 

NATURE OF HIS WORK: Collects and ana- 
lyzes computer-related evidence in crimi- 
nal investigations 

SKILLS NEEDED: Lim says a combination 
of investigative and IT skills is key. 
SALARY POTENTIAL: In law enforcement, 
$50,000 to $70,000: in private compa- 
nies and consulting firms, computer foren- 
sic examiners can make up to twice that. 
CAREER PATH: Computer forensics skills 
could lead to jobs in law enforcement 
agencies or in the private sector, where 
demand for forensics experts is growing. 
ADVICE: Consider getting a certification, 
like that offered by the FBI's Computer 
Analysis and Response Team program. 
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WHEN YOUR WEB BUSINESS IS UNDER ATTACK, 
WILL YOU HAVE THE STRONGEST SOLUTION? 


With all the dangers that your e-business might encounter, why would you trust your Web Security to anyone 
but RSA Security? Our RSA Web Security Portfolio offers an unmatched breadth of powerful security solutions that can 
be designed for your specific security needs. We offer the most trusted Web Security options that include 
authentication, encryption and PKI. And depending on your e-business requirements, we can combine them in 
whatever way works best for you. To learn more about how we can customize your Web Security, and receive your free 
copy of our whitepaper, RSA Web Security Portfolio, call 1-800-495-1095 or visit www.rsasecurity.com/go/shark. 
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Manager Offers Primer 
On Computer Forensics 


Vince’s company is loath to prosecute attackers, but 


gathering computer evidence is still part of the job | 


BY VINCE TUESDAY 
ENTION THE WORD 
forensics, and I imag- 
ine rubber gloves and 
Dana Scully conduct- 
ing autopsies in The 

X-Files. Thankfully, when applied to 


| court. If we handle the data without fol- 


| 
| 
| 
| 


lowing the correct procedures, how- 
ever, there’s nothing we can ever do to 
produce admissible evidence. 
Practically speaking, we’re unlikely 
to present such evidence in court. Like 


| most financial services organizations, 


computers in general, forensics is less | 


smelly and less likely to involve extra- 
terrestrial life. 

An increasing number of criminal 
investigations these days 
include evidence extracted 
from computers. However, 
because of the imperma- 
nence of digital data and 
the ease with which evi- 
dence can be manufac- 
tured, evidence has to be 
obtained with great care. 

We have many thou- 
sands of computers in our 
company that are potential 
targets for criminal activ- 
ity. Hackers may try to gain 
access to confidential data 
over the Internet. Insiders 
may try to modify expense 
claims after they’ve been 
approved. 

Most of our efforts are 
spent trying to stop this from succeed- 
ing, but sometimes attacks slip past our 
defenses. Also, computers can be used 
as tools of crime, as when staffers 


download pornography from the Web | 


or send our customer lists to their 


new employer by e-mail just before | 


they quit. 


Gathering the Evidence 


When our computers become the 
targets of a crime, we must gain access 
to the systems to verify that a crime has 
been committed. Once we know it isn’t 
a false alarm, we collect digital evi- 
dence to determine the scope of the 
crime. An accurate record of what has 
happened allows us to recover, repair 
and learn from the past. And if we col- 
lect evidence carefully, we can use it in 


@ This week's journal is written by areal security manager, 


we prefer not to drag our security prob- 
lems through the justice system. But 
when we start investigating, we can’t be 


| sure that we won’t uncover something 


oe, 
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that requires prosecution 
or that we could use to 
defend ourselves from a 
liability suit. 

Courts require the high- 
est standards of computer 


evidence. Increasingly, the 
| 


tribunals used to resolve 
disputes between staff and 
company, such as wrongful 
dismissal cases, require the 
same level of evidence. 

When a member of our 
staff uses one of our com- 
puters to commit a crime, 
digital forensics are the 
only way we can prove 
wrongdoing. 

Our main forensic tool 
is EnCase software from 


| Guidance Software Inc. in Pasadena, 





Calif. It allows us to boot up off of a 


| floppy disk and copy a hard disk byte by 


byte. The methodology it uses is admis- 
sible in court. Guidance Software also 
offers several tools for searching and 
extracting evidence. 

In today’s world of very large local 
disk drives, network storage, personal 


| digital assistants and mobile devices, 


trying to find data can seem like hunt- 
ing for a needle in a haystack. User 
behavior helps narrow this down. Most 
users seem to feel that their local drives 
are safer than the network. They seem 


| to believe that we have enough time 


and resources to check only the net- 

work drives for questionable material. 
This belief makes our investigations 

simpler. A simple local disk search usu- 


| 


| 





; cate 


ally uncovers all the evidence we need. 
And since local drives are less busy 
than network drives, deleted files are 
less likely to have been overwritten. 

Cheap and available encryption may 
be a brief hindrance for the feds, but for 
us, it draws an impenetrable veil across 
the data, unless our users have chosen 
easy-to-crack WinZip compression or 
Microsoft Office encryption. Luckily, 
our policy prohibits staff from using 
encryption without providing a key, 
so disciplinary charges can be brought 
without us having to break the code. 

I'll bet a good many readers are jump- 
ing up and down about free speech and 
the right to privacy. I assure you that 
our staffers can afford home systems 
with Internet access, and that’s the 
place for them to exercise those rights. 
We explain clearly to all staff that they 
should have no expectation of privacy 
when using work systems. 


Wrongfully Accused 

While forensics evidence can impli- 
users, it can also clear them 
from suspicion. Recently, a disgruntled 
worker was suspected of hacking our 
internal systems. Management called 
us in to provide the digital evidence 
to sack him with no danger of a wrong- 
ful dismissal suit. 

We carried out a 3 a.m. black-bag job 
on his machine, carefully taking digital 
photos of his desk and machine so that 
we could restore everything without 
alerting suspicion. We quickly took his 
machine to our lab. Within a few hours, 
we had dismantled the machine, taking 
care not to disturb the dust on the out- 
side. We added a _ second disk 
to hold the evidence and booted the 
machine from the EnCase floppy disk. 
We carefully made an exact copy of the 
disk, returned the machine and retired 
to the lab to examine the results. 

When we return from such a mission, 
we always check all the tools we used, 
like surgeons in an operation, to make 
sure we haven't left anything in the 
patient. This time, we couldn’t find 
the boot floppy. A swift return to the 
alleged crime scene recovered the 
offending disk. How foolish would we 
have looked when the suspect booted 
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GLOSSARY 


Computer forensics: The investiga- 
tion of computer crime, including the 
collection, analysis and presentation in 
court of electronic evidence. 


Black-bag job: Slang for the surrep- 
titious entry into an office to obtain files 
or materials. 


LINKS 


www.usdoj.gov/criminal/ 
cybercrime/search_docs/toc.htm: 
This Web page, “Federal Guidelines 

for Searching and Seizing Computers,” 
includes the U.S. government's policy for 
collecting computer evidence. Designed 
for federal agencies, it’s also a useful 
resource to learn the correct procedures 
to follow when gathering evidence. 


www.guidancesoftware.com/ 
html/index. html: Guidance Soft- 
ware's Web site includes information 
on its EnCase digital forensic software, 
hardware and training services. 


www.sans.org/infosecFAQ/ 
incident/forensics.htm: This paper 
by Dorothy A. Lunn, at the Web site of 
Bethesda, Md.-based SANS Institute, 
offers an excellent introduction to com- 
puter forensics, including references to 
an array of products, training resources 
and additional reading. 


his machine the next morning, only to 
be greeted by a “Welcome to EnCase 
forensic solutions” screen? Fortunately, 
attention to detail averted that disaster. 

Sometimes, even we jackbooted pri- 
vacy invaders can actually help some- 
one clear his name. With careful analy- 
sis, we were able to show that this par- 
ticular user’s machine and the use of 
software on it were legitimate. We went 
through it so closely that we could see 
the pornographic images downloaded 
three users back. Our forensic evidence 
was enough to overturn the circum- 
stantial evidence against him. 

Some readers may disagree with our 
methods, but the results speak for them- 
selves. I welcome your comments in the 
Security Manager’s Journal forum. D 


A RA RE LONE BBE AE ATES S DS METRE PSEC ABE ETE NY RDI 
MOREONLINE For more on the Security 


Manager's Journal, including past journals, visit 
www.computerworld.com/securitymanager 


*C NIN 


. Vince Tuesday,” whose name and employer have been disguised for obvious reasons. Contact him at vince.tuesday@hushmail.com or go to the Security Manager's Journal forum. 





Are you sure you are protecting the 
heart of your business? 


If you think your firewall is enough, think again. 


Most firewalls are easily penetrated using non-commercial tools. 
Trojans, worms and denial-of-service attacks are all immune to 
firewall technology. And a firewall is virtually useless unless you 
can monitor it and make corrections constantly. So how can you 
protect the heart of your business? 


On-Guard! — the industry's most complete incident 
management solution 


With On-Guard!, Netigy can add powerful 24 x 365 
monitoring to your existing firewall defenses. We can identify 
weaknesses in your environment and help you plug holes to 
prevent intrusion. And when the unexpected happens, Netigy 
can immediately dispatch a professional response team to 
contain the incident and restore the operation of your 
business. We can even help you track down the source to 
prevent recurrence. 


Netigy can defend your business and its lifeblood around the 
clock with a highly trained staff of professionals — for a 
fraction of the cost of doing it yourself. Can you really afford 
not to protect the heart of your business? 


Call Netigy NOW at 1.877.292.0551 to secure your business 
with On-Guard! 


| Netigy Corporation 
Ne 0 l S Vy 100 Headquarters Drive 


San Jose, California 95134 
The eBusiness Security 800.987.1400 
and Infrastructure Specialists™ www.netigy.com 


*Source: Giga Information Group, Market Overview: Managed Security Services, April 23, 2001 
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PKI networks promise to make 
online transactions safer. Trouble 
is, they’re hard to build, so few 
bother. But that may be changing. 


By Jaikumar Vijayan 

UBLIC 
(PKI) that create the ability 
to maintain privacy, authen- 
ticate users, protect the in- 
tegrity of data and execute 
transactions without the risk 

of repudiation have long held the 

promise that they could make online 

transactions safer. 

But corporations need to have a 
clear understanding of what they want 
to do with the technology and be pre- 
pared to face up to thorny integration, 
interoperability and legal issues if they 
are to see any of that promise fulfilled, 
users and analysts say. 

“PKI in and of itself means nothing,” 
says Steve Ellis, executive vice presi- 
dent of San Francisco-based Wells Far- 
go & Co.’s Wholesale Internet Solu- 
tions group. 

For PKI to be relevant, “you have to 
first think through what identity man- 
agement means for the way your busi- 
ness operates,” says Fllis. “You need to 
know what your critical [information] 
assets are and figure out when to im- 
plement a digital authentication strate- 
gy as opposed to [another means of au- 
thentication].” 


IN DEPTH 


KEY INFRASTRUCTURES 


| 
| 
| 
| 
| 
| 


| 
| 
| 
| 
| 
| 
| 


A PKI infrastructure consists of ded- 
icated hardware, software, data trans- 
port mechanisms, smart cards and ap- 
plications, along with governing poli- 
cies and protocols, that companies can 
use to establish a high level of trust 
when carrying out online transactions. 

The following components lie at the 
core of PKI-enabled services: 

w A certificate authority (CA) that ver- 
ifies an applicant’s identity and issues 
a digital certificate, or electronic iden- 
tification, containing a public key to 
encrypt and decrypt messages and dig- 
ital signatures. 

w A registration authority that checks 
the credentials of individuals applying 
for digital certificates. 

w Data repositories for storing the cer- 
tificates. 

If deployed successfully, 
such infrastructures can 
provide the basis for se- 
curely conducting a wide 
range of online activities 
using electronic IDs, electronic signa- 
tures and encryption. 

Wells Fargo, for instance, has begun 
testing a new PKI-enabled business-to- 


business service that lets businesses ne- | 


gotiate, purchase and pay for goods on- 
line in real time, in a nonrepudiable 


manner using digital IDs. The company | 


acts as a CA and issues digital certifi- 
cates that customers use as electronic 


IDs while conducting business-to-busi- | 


ness transactions. 

But formidable challenges stand in 
the way, users and analysts say. 

For one thing PKIs are costly and 
complex to implement. They provide a 


COMPUTERWORLD July 9, 2001 


mechanism for secure online transac- 
tions, but a lot of their success de- 
pends on human processes. 

For example, just because someone 
has an electronic ID doesn’t mean that 
person is who he claims to be. A lot de- 
pends on the rigor applied by the CA 
in identifying and authenticating users 
and in controlling their access to ser- 
vices based on their user profiles. 

The U.S. Postal Service, for instance, 
offers a PKI-enabled service called 
NetPost.Certified for secure govern- 
ment-to-government and government- 
to-consumer transactions. 

NetPost.Certified uses the Postal Ser- 
vice’s 38,000 branch offices as stations 
at which consumers can present the 
identification that some federal agen- 
cies require before issuing individual 

digital certificates. 
Without this kind of rig- 
or, the whole concept of 
electronic IDs can quickly 
become meaningless. 

The technology also raises many 
legal questions, says Eric Kossen, glob- 
al head of project management at a 
PKI-enabled service from ABN Amro 
Holding NV, the Amsterdam-based fi- 
nancial services giant. 

Like Wells Fargo, ABN Amro acts as 
a CA that issues electronic IDs for a 
new business-to-business purchase 
and payment service aimed at large 
businesses. 

“If you operate as a certificate au- 
thority, you take on a certain level of 
responsibility for that role,” Kossen 
explains. 

A lot of the questions surrounding 


Unlocking 
Online Com 
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Registration Authority 
Verifies user requests for 
digital certificates and tells 
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Components of PKI 
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PKI have to do with the way certifi- 
cates are issued, verified, revoked and 
checked. There are also uncertainties 
about the level of trust assigned to dig- 
ital IDs issued by other CAs. And there 
are even questions about such funda- 
mental issues as the legal validity of 
electronic signatures and the manner 
in which they are stored, says Kossen. 
Despite major vendors’ claims that 
their products are mature, many PKI 
technologies are still evolving. Many 
vendors claim to offer the entire range 
of technologies needed to build a PKI 
service. Often though, it’s best to 
choose best-of-breed products from a 


variety of vendors, say users and ana- 
lysts. But that raises issues of interop- 
erability and standards. Putting up a 
PKI framework, therefore, means deal- 
ing with a hodgepodge of technologies 
that seldom work with one another 
and are constantly evolving, say users. 

Few applications are enabled out-of- 
the-box to take advantage of PKI ser- 
vices. This means users must integrate 
them into PKI networks. A growing 
number of vendors offer tool kits that 
snap into applications and make them 
PKI-ready. But these tool kits don’t eas- 
ily interoperate. 

Resolving interoperability issues 
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means addressing them at the applica- 
tion level, at the component level and 
between multivendor PKI domains, ac- 
cording to a recent white paper pub- 
lished by the PKI Forum, a Wakefield, 
Mass.-based consortium of vendors es- 
tablished to address the issue. 

Application-level interoperability 
deals with PKI services, such as en- 
cryption, authentication and nonrepu- 
diation, between peer applications, 
such as two e-mail clients, according to 
the PKI Forum. 

Component-level interoperability 
relates to the manner in which devices 
that provide and consume PKI ser- 
vices, such as a CA, interact with other 
similar devices. 

Interdomain interoperability deals 
with how to link multiple PKI domains 
that are based on technologies from 
different vendors. 

Interoperability is also important in 
the long term because it lowers the 
risk of customers being tied to a single 
vendor or technology, while offering 
them a greater choice among vendors, 
says Laura Rime, a director at New 
York-based Identrus LLC. 

Identrus is a for-profit company es- 
tablished by eight leading global 
banks. Since 1997, it’s been build- 
ing a PKI-based global system 
that assures businesses of the 
identity of their trading partners. 

Financial institutions that are part 
of the Identrus network issue digital 
certificates to conduct online transac- 
tions with certified trading partners. 

Identrus has a prescribed interoper- 
ability test process and baseline stan- 
dards that PKI vendors have to meet in 


order to be able to sell to Identrus’ 
member institutions. The number of 
products and technologies that have 
qualified now exceeds 25 — more than 
double the number at this time last 
year, Rime says 

Because acceptance of PKI has been 
limited so far, there hasn’t been a sense 
of urgency among vendors to advance 
interoperability, says Dan Hellman, a 
manager at Cylink Corp. in Santa 
Clara, Calif. 

Despite the promise of PKI, most 
corporations still aren’t quite sure 
what to do with it, says Wells Fargo’s 
Ellis. One of the reasons is that there 
are other readily available authentica- 
tion alternatives, ranging from basic 
passwords to biometric technologies, 
that companies can use, he says 

But “if PKI interoperability is what 
you are waiting for, then wait no 
more,” says Peter Lindstrom, an ana- 
lyst at Hurwitz Group Inc. in Framing- 
ham, Mass. “Start your deployment 
now, because by the time you get to a 
point where you want to connect ex- 
ternal CAs, the issues will have re- 

solved themselves.” D 


vendors — or just bone up on the technology. 
Sinstructions, research and white papers on the 
dangers, risks, benefits and architecture for 
a solid PKI network 
www.computerworld.com/securityonline 
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Initial efforts to provide online 
authentication have been costly 
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AST YEAR, the federal gov- 
ernment couldn’t move fast 
enough to pass a digital signa- 
tures law, which it finally did in 
October. 

But almost a year later, it appears 
that all of the hullabaloo has turned out 
to be little more than smoke, as many 
companies have managed to make do 
without state-of-the-art authentication 
and security technologies. 

Prior to the legislation, it was be- 
lieved that the electronic identifiers 
were needed to support the online 
business-to-business explosion that 
appeared to be just around the corner. 

At the same time, many companies 
were being told they had 
to put a public-key infra- 


| structure (PKI) cryptogra- 


phy and authentication sys- 

tem in place to be sure they weren’t 

doing business with cyberpirates. 
However, business-to-business 

e-commerce didn’t boom as quickly or 


| as broadly as anticipated. Meanwhile, 
| those companies that are dabbling in 
| the e-commerce arena have managed 
| to do so without digital certificates. 


“What we learned is you don’t have 


| to have these things in place to start 

| electronic commerce,” said Jan Sund- 
| gren, an analyst at Giga Information 

| Group Inc. in Chicago. 


However, a second-generation PKI 
standard that embeds authentication 


| processes into e-commerce applica- 
| tions and smart cards that are enabled 


for digital certificates have evolved 
during the past year, pushing online 
authentication closer to viability. 


| Not So Fast 


The main hurdles to adoption are 
cost and difficulty of implementation. 

For instance, a November survey of 
1,026 executives at U.S. companies 


| with revenues of more than $1 billion 


revealed that only 16% of the firms had 
completed work on digital certificate 


| infrastructures, according to Frank 


Prince, an analyst at Cambridge, Mass.- 
based Forrester Research Inc., which 


| conducted the survey. 


In 1999, half the companies in For- 
rester’s annual e-commerce poll said 


| they would have working PKI systems 


in place by the end of this yea® But 
when Forrester conducted the poll 
again last year, only one-third of 


the respondents said they believed 


they could achieve that goal in the 
next two years. 

“The expectations fell off after they 
had the experience with the imple- 
mentation and expense of digital cer- 
tificate technology,” says Prince. 
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“What they discovered is that this isn’t 
as easy as they thought.” 

One of the chief hurdles to the adop- 
tion of digital certificates is that most 
PKI software has been developed along 
proprietary lines. Authentication ser- 


| vices that might work well to support 


internal expense reports or personnel 


| evaluations don’t necessarily translate 
in a business-to-business format. 


PKI allows companies to send en- 


| crypted messages through a public reg- 


istry, which is then decrypted by a pri- 
vate key that the receiver holds. 

As it turns out, many companies that 
are capable of issuing PKI certificates 
rarely use them. 

Jurgen Leijdekker, U.S. 
managing director at Den- 
ver-based eCredible Ltd., 

a transaction risk-manage- 


| ment subsidiary of Amsterdam-based 


credit insurance company NCM NV, 
says it’s rare for companies to ask for 
digital certificates when they do busi- 
ness online. 

“We can issue them, but many com- 
panies feel a password in their hands is 


| somehow more secure,” he says. 


Even though risk management often 


| involves the most sensitive financial 
| aspects of online trading, few compa- 


nies are able to perform the decryp- 
tions. As a result, executives at eCredi- 


| ble view digital certificates as a perk 
| service, not something central to its 


business, Leijdekker says. 
A proposed standard called XML 


| Key Management Specification 
| (XKMS) may help solve this dilemma. 


Submitted in April to the World Wide 
Web Consortium standards body, 
XKMS is based on Web services 


| protocols such as Web Services De- 


scription Language and Simple Objec 
Access Protocol. The standard was 
designed with the goal of providing 
interoperability between PKI systems. 
XKMS incorporates authentication 
services inside of e-commerce applica- 
tions. Currently, desktop and e-com- 
merce applications must be enabled to 
handle digital keys for authentication. 
As a result, no longer would both the 
buyer and seller need fully implement- 
ed PKI infrastructures to exchange cer- 
tificates or signatures. D 


IN DEPTH RESEARCH ON 
DIGITAL CERTIFICATES 
-www.computerworld. 
com/securitylinks 
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your own tips or post your opinions at: 
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»3P standard 
The P3P standarc 
may not make Web 
surfing more private, 
but it might give 
consumers a way to 
enforce the promises 
Xj, | 14 . k 
that Web sites make. 
a a >. dee 
By Deborah Radclifi 
ITH MICROSOFT SET to release its first 
browser-based consumer privacy con- 
trols later this month, the Platform for 
Privacy Preferences Project (P3P) stan- | 
dard is about to step into the limelight. 
Already, 63 companies have joined the P3P band- 
wagon. They’ve rewritten and tagged their privacy 
statements in XML to make those policies readable 
by Web surfers’ machines. And many more e-mer- 
chants are well into the process of making their on- 
line privacy statements P3P-compliant. 
The promise of P3P is that it will give users con- 
trol over how their data is gathered and used. By 


supporting the standard, e-merchants hope to draw ; 
consumers back to the Web, and maybe even gain ig 
some loyalty in the process DoubleClick’s Jules 
But critics are wary of this silver-bullet approach Polonetsky: P3P “is the 
to consumers’ privacy, charging that tools that only beginning of allowing 
expose privacy policies don’t hold e-businesses z users to say, Tligive 3 
accountable for promises they make. And early itera- | you this, but | won't - 
tions of Microsoft Corp.’s browser tool and the other |é ] give you that’/” 





emerging P3P plug-in by YouPowered Inc. in New & & 
York aren't really reading full privacy policies when _ |& Bb 


Giving Use 
Back [heir 
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deciding whether to allow a read from or write to a 
cookie, making it harder to automate personal pref- 
erences on privacy. 

“P3P will not improve the current level of privacy 
protection,” says Andy Shen, policy analyst at EPIC.- 
org, a privacy advocacy group in Washington. “What 
we need is standards — something to hold [vendors] 
accountable. Because without those, there’s no en- 
forcement.” 


But these early iterations of P3P are better than do- | 


ing nothing, say proponents. And as implementations 
expand to offer more granular choices for users, P3P 
could be the biggest thing to hit the browser since 

Secure Sockets Layer encryption, say early adopters. 


The Language 

By tagging English-language privacy statements in 
XML, Web businesses make their policies readable 
by any P3P client. As P3P matures, users should 
eventually have a vast array of settings 
they can use to tailor their Web experi- 
ences to their preferences. 

“The benefit of P3P is once you estab- 
lish a set of general preferences, the re- 
view of the site’s policy happens automatically,” says 
Jules Polonetsky, chief privacy officer at e-mail mar- 
keting company DoubleClick Inc. in New York. “This 
is the beginning of allowing users to say, ‘T'll give you 
this, but I won’t give you that. Tell me what [the Web 
site is] asking for, and my browser will interact.” 

The back-end work of tagging privacy statements in 
XML is straightforward, says Lorrie Cranor, chair of 
the P3P specifications working group spearheaded by 
the World Wide Web Consortium. Cranor, also a prin- 
cipal technical staff member at AT&T Labs in Lorham 
Park, N,J., has completed tagging AT&T Corp.’s Eng- 
lish language privacy policy for P3P compliance. 

The difficult part is re-creating the privacy state- 
ments in the fine detail required to make them P3P- 
compliant, according to both Cranor and Polonetsky. 

“Your privacy statement and your P3P statement 
are likely to be different documents,” says Polonet- 
sky, who’s in the midst of rewriting DoubleClick’s pri- 
vacy statements for P3P. “Most privacy policies don’t 
go into as much detail as P3P does — or cover the 
gamut of technology that has any information rela- 
tionship, like navigational data, log files, HTTP refers.” 

To make this easier, Cranor developed a template- 
based privacy policy generator to cover the mundane 
detail called for in P3P-compliant policy statements. 
AT&T’s new policy, which went live July 1 at www. 
att.com/privacy/, addresses not only what data is col- 
lected, but also how it’s collected and what’s done 
with it. Some examples include the following: 


Pri 
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= Data collection: AT&T’s policy specifies what the 
data is collected for: Billing services, change ser- 
vices, problem resolution and product information. 
“This means that AT&T may use your customer- 
identifiable information, in conjunction with infor- 
mation available from other sources, to market new 
services to you that we think will be of interest to 
you, but we will not disclose your customer-identifi- 
able information to third parties who want to market 
products to you,” the statement says. 
= Cookies: The policy states that “AT&T servers auto- 
matically gather information about which sites cus- 
tomers visit on the Internet and which pages are vis- 
ited within an AT&T Web site. The company does 
not use that information, except in the aggregate.” 
# Disclosure: AT&T’s policy states it will not sell, 
trade or disclose this information — including cus- 
tomer names and addresses — to third parties with- 
out consent of customers. It also says AT&T will en- 
sure that contractors also protect the 
customer-identifiable information. 
Polonetsky says DoubleClick’s privacy 
policies are clear, but the company’s use 
of cookies is complex because it moni- 
tors Web surfing habits to determine which ads to 
send to consumers’ browsers. So his efforts have 
mostly centered on making sure cookie use is por- 
trayed accurately, which has taken extensive confer- 
encing with DoubleClick’s legal, privacy, marketing 
and technical people, he says. 

Missing from P3P work is language for data securi- 
ty, something even the Federal Trade Commission 
(FTC) brought up to the P3P working group when it 
was formalized in 1997. But when the working group 
looked into allowing consumers to set their data se- 
curity preferences, it decided it was impossible to ob- 
jectively define which sites are secure, says Cranor. 

That’s because anyone with a firewall can say they 
protect consumers’ data, even if that firewall is junk, 
she says. P3P does include a hook for security vocab- 
ulary, but it won’t be useful until some best security 
practices, such as the published security standard 
ISO 17799 or Visa International Inc.’s merchant secu- 
rity policies, are universally adopted. Then, the XML- 
readable security policy could verify that a site pro- 
tects the customer’s data by saying that it adheres to 
the ISO 17799 security standards, for example. 


The Revolution 

Microsoft demonstrated its P3P in its browser in 
December at a privacy/security conference it hosted. 
YouPowered also has a browser plug-in. Netscape 
Communications Corp. is waiting for a secret third- 


party developer to deliver an open-source P3P reader | 


IVaCy 


at Is P3P? 


@ THE PLATFORM FOR PRIVACY PREFERENCES 
PROJECT (P3P), developed by the World Wide 
Web Consortium, is an emerging industry stan 
dard that gives users more control over 
information gathered on Web sites t 

P3P consists of a standardized set c 
choice questions covering all aspects of a Web 
site’s privacy policy. The answers off 
shot of how a site handles users’ pe 
mation. P3P-enabled Web sites make this 
mation available in a standard, machine-readable 
format. P3P-enabled browsers read the 
and compare it to the consumer's privacy prefer 
ences. P3P enhances user control by put 
vacy policies where users can find them, in 
users can understand, and enabling user 
on what they see 


own, perhaps for commercial use in the future, ac- 
cording to Cranor. 

Some criticize Microsoft's tool for not automati 
cally reading full privacy statements. However, 
Polonetsky and Cranor both say that’s a good thing, 
because to do otherwise at this early stage of adop- 
tion would block access to non-P3P-compliant sites. 
And the P3P reader operates much faster by reading 
just the cookie headers and reading full privacy poli- 
cies only when the Web surfer specifically requests 
it, says Michael Wallent, the director of Microsoft's 
Internet Explorer team. 

Critics have said they would also like to see P3P 
somehow create more merchant accountability. One 
could argue, however, that accountability and en- 
forcement are already on the rise. Currently, some 
50 privacy-related bills are hung up in Congress. And 
the FTC is using existing laws regarding deceptive 
practices, negligence and breach of contract to go 
after companies that violate consumer privacy (first 
in line was DoubleClick). 

Add merchant accountability to a sense of con- 
sumer empowerment, and e-commerce may actually 
live up to its promise. 

“Statistics show that people on the Internet are 
concerned about identity theft and other privacy is- 
sues,” says Gary Clayton, CEO of the Privacy Coun- 
cil, a privacy consulting group in Dallas. “I think P3P 

is the beginning of things to come.” D 


IN DEPTH RESEARCH ON P3P 
® Want to see the full P3P specification from 
the WC3? Could you use a tool to help create 
your own P3P polices? What other privacy 
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Feeling Safe With 
IT Security Deals 


O IT PROFESSIONALS, the word security generally 
evokes operational-type thoughts. For instance, 
there’s a need for physical security of the data itself. 
And there’s software-controlled access to the secure 
network. Then there’s security to control access to the organi- 
zation’s order entry and financial systems and to the under- 
lying databases. Now, with the proliferation of Web-based sys- 
tems, Internet firewall security has become a growing concern. 


Regardless of the setting, se- 
curity is a major control issue 


facing not only today’s IT man- | 


agers, but everyone else as well. 
Although the security func- 
tion is staffed internally, the 


tools we use, for the most part, | 
| haunt your organization after 
| the deal is done. Contract 
| problems during the relation- 
| ship take time away from 


are rarely homegrown. To 
build the security infrastruc- 
ture, IT managers go outside 
to license software, purchase 
or lease hardware, and con- 
tract for consulting services. 
But there’s always a contract 
involved — yours or the ven- 
dor’s. From a deal manage- 
ment perspective, contracting 
for security is like any other 
technology acquisition: You 
must make sure you get what 
you pay for. 


= Competitive intelligence: 
The process of monitor- 
ing competitors and the 
competitive environment 
using the systematic gath- 
ering of data from many 
IT-enabled sources. 

8 Digital certificates: Data 
files used to establish 

the identity of people 
and electronic assets on 
the Internet. They allow 
for secure, encrypted on- 
line communication and 
are often used to protect 
online transactions. They 


In the rush to build a secu- 


| rity infrastructure, don’t forget | 
| any “gotchas” in security con- 
| tracting. You can use it to level 
| the negotiating field. 


| Software 


about the rights and obliga- 
tions of the contract. You must 
take the time to do it right. 
Don't get caught with contract 
“gotchas” that come back to 


other activities and can cost 
you significant bottom-line 
dollars, along with some 

career embarrassment. And 


| the fixes are seldom easy. 


The list of ugly contracting 
possibilities is much longer 
than this column. But it’s im- 
portant to focus on some of 
the more potentially problem- 


atic areas. Think of the follow- 
ing as a checklist to prevent 


When the contract involves 


| security software, watch for 
| the following things: 


® The license should be per- 
petual, irrevocable and of suf- 
ficient scope to cover your 
entire organization. 


| # The vendor should guaran- 


tee that the software will per- 
form according to the pub- 
lished specifications for at 
least a year. If it doesn’t, the 
vendor should fix it at no 
charge. Or, if it can’t be fixed, 





QuickStudy Guide to Security 


the vendor should refund your 
money and “make you whole” 
for the expenses you incurred 
related to its software. 


| @ Maintenance should include 


enhancements (minor im- 
provements and bug fixes) 
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| # Make sure there’s a confiden- 
| tiality agreement in place be- 


tween you and the consultant. 


Hardware 


When the contract involves 
hardware, watch for the fol- 


and upgrades. 
aw Insist on the right 
to install and test 


the software before 


paying the major- 
ity of the money 


| specified in the 
| deal. There’s noth- 


ing like testing in 


| your own environ- 


ment to make sure 


you're getting what 
| you think you’re 
paying for. 


Consulting 


When the con- 


| tract involves con- 


sulting services, 
watch for the 


following things: 


lowing things: 


JOE AUER is president of 
International Computer 
Negotiations Inc 


(www.dobetterdeals.com), | 


a Winter Park, Fla., 
consultancy that 
educates users on high- 
tech procurement. ICN 
sponsors CAUCUS: The 


Association of High Tech 
Acquisition Professionals. | 


Contact him at 


= Secure the right 
to test the hard- 
ware in your own 
environment be- 
fore final payment. 
= Check the ven- 
dor’s warranty 
carefully, and un- 
derstand what’s 
included (such as 
parts or labor) and 
for how long. 

= Make sure the 
configuration or- 
dered is complete. 
Get the vendor to 
warrant that it has 
included all the 
necessary compo- 
nents. This helps 


| = Make sure the 





men ae mse 


consultant is fully 


| qualified. Check ref- 


erences, and interview staffers 


| assigned to your site. 


= Make sure the consultant’s 
responsibilities and expected 


| results are carefully docu- 
| mented in the contract. 
| @ Make your payments based 


on the consultant’s achieve- 
ment of acceptable results, not 


| on the passage of time. 


® Provide for frequent project 
status meetings. 


| @ Make sure you own all of the 


consultant’s deliverables. 


Find it online at www.computerworld.com/wi/quickstudy 


can be used as electronic 
passports to enable electronic 
transactions, but only if your 
infrastructure is set up to han- 
dle them. 

= Digital wrappers: A program 
wrapped around another pro- 


| gram or file, such as an e-mail 


message. The wrapper acts as 
a multifunction gatekeeper 


| to do things like encrypt and 


secure e-mail or control the en- 
closed program from running 
under certain circumstances. 


= Intrusion detection: The art 
and science of sensing when 


| a system or network is being 


used inappropriately or with- 
out authorization. If having a 
firewall is like having a securi- 
ty guard at the door, then an 
intrusion-detection system is 
like having a network of sen- 


| sors that tells you when some- 
| one has broken in, where he is 


and what he’s doing. 
= Proxy server: An Internet 
server that controls client 


computers’ access to the Inter- 
net. Using a proxy server, a 
company can stop employees 
from accessing undesirable 


| Web addresses, improve per- 


formance by storing Web 


| pages locally and hide the 


internal network’s identity. 


= Risk management: The pro- 


cess whereby potential risks 
to a business are identified, 
analyzed and mitigated, along 
with the process of balancing 
the cost of protecting the 


joea@dobetterdeals.com. | 


; avoid unexpected 
charges for addi- 

tional equipment. 

= Get a firm delivery date, and 


| hold the vendor accountable 
| with remedies if it fails to 
| deliver on time. 


In short, no matter how 
great your hurry to plug some 
hole in your security plan, 


| always remember to make 
| sure there’s a well-thought- 


out contract. These guidelines 


| will get you closer to a safe 


and “secure” agreement — 


| and closer to getting what 
| you think you’re paying for. D 


| company against a risk 
| vs. the cost of exposure to 


that risk. 


| # Virtual private network 
| (VPN): A secure, encrypt- 


ed connection between 


| two points across the 


Internet. VPNs transfer 
information by encrypting 
and encapsulating traffic 
in IP packets and sending 
the packets over the Inter- 
net; that practice is called 
tunneling. Most VPNs are 
built and run by Internet 


| service providers. D 
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At exault, helping you focus on performance and protection is 
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Finjan’s Software Blocks 
Active Content ‘Threat 


Start-up’s product monitors suspicious 
activity from executable e-mail attachments 


BY PIMM FOX 
HERE’S NO 
age of reasons for 
corporate IT man- 


agers to be con- | 
| “It caches attacks before they 


cerned — 
— about external 


very 


concerned 


threats to the security of their | 


systems. Trojan horses and 
viruses that enter organiza- 
tions as executable 
attachments are abundant, and 
antivirus software doesn’t al- 
ways catch them. 


Finjan Software Inc.’s re- | 
sponse is SurfinShield Corpo- | 
rate and SurfinGate, software | 
that actively monitors down- | 


loaded active content, includ- 


ing executables, ActiveX and | 


Java scripts, on individual desk- 
tops and at e-mail gateways. 
By monitoring code behav- 


ior, Finjan’s products let com- 
panies enforce security poli- | 
cies by automatically blocking | 


malicious activity before it 


causes damage to PCs. “The | 
days of relying on reactive se- | 


curity products to stop mali- 


cious code attacks are over,” 


says Phil Kantz, president and | 
CEO of the San Jose-based | 
start-up. “Companies cannot | 


afford to wait hours or days 


for security updates to be pro- | 


tected from new attacks.” 


A security analyst at a major | 


Northwest retailer, who de- 
clined to be named, can attest 
to that. “I SurfinShield, 


and then six months later, the 


saw 


Melissa virus hit,” he says. “We | 


decided to segment the re- 
sponsibility of dealing with 


these threats by installing the | 
desktop version, mainly be- | 


cause we had very few means 
of identifying the attacks be- 
fore they hit.” 

He says the product has suc- 
cessfully blocked subsequent 


active content attacks before | 


they could do damage. 


short- | 


e-mail | 





“Finjan’s software controls 


code behavior before it 
Christiansen, an analyst at 
Framingham, Mass.-based IDC. 


can do harm.” 


| malicious behavior, or 


programs for 
sand- 


“Monitoring 


boxing, has come of age and 
proved its effectiveness against 
worms like ‘I Love You’ and 


|} Anna Kournikova,” says Yigal 


be- | 


| comes active,” says Christian 


Edery, Finjan’s director of re- | 


search and development. 

Plus, Internet worms can 
change their characteristics 
every four to six hours, which 
is faster than antivirus soft- 


PHIL KANTZ, CEO of Finjan Software, says his company’s prod- 
ucts take a proactive, rather than reactive, approach to security. 


Finjan 
Software Inc. 
2860 Zanker Road, Suite 201 


San Jose, Calif. 95134 
(408) 981-1690 


Niche: Its software monitors exe- 
cutable e-mail attachments and 
other active content and blocks 
suspicious behavior. It protects by 
monitoring activity, rather than re- 
lying on virus signatures. 


Company officers: 

¢ Phil Kantz, acting president and 
CEO 

° Jeff Feuer, vice president and 
chief financial officer 

¢ Yigal Edery, director, research 
and development 


Milestones: 

¢ January 1998: Company 
founded, SurfinGate released. 

© Q1 1999: SurfinShield Corporate 
released. 





¢ July 2000: Awarded a 
U.S. patent for the Y > 
code inspection ; 
technology. 


Burn money: 

$20 million from Besse- 

mer Venture Partners LLC, 

Star Ventures Capital LLC, RRE 
Ventures LLC, CSK Venture Capi- 
tal Co. and Security Dynamics, a 
subsidiary of RSA Data Security 


Products/pricing: SurfinShield 
Corporate 5.5: $59 per seat: 
SurfinGate 5.6: $49 per seat. 


Customers: European Parlia- 
ment, U.S. Pentagon, IRS, others. 


Red flags for IT: 

¢ The products won't help with 
pre-existing viruses. 

¢ Some antivirus software vendors 
are adding this capability 

¢ Products are a supplement to, 
not a replacement for, antivirus 
software. 
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ware vendors can turn around 


virus signature updates, adds | 
| y “ - ° | 
Dave Kroll, the firm’s director | 


of marketing. 
SurfinShield Corporate runs 


|} on each PC in the background, 


watching for file violations and 


| checking for attempts to delete 


files, access registries or access 
the operating system. It also has 


| a central console for setting 
policy, monitoring and admin- 
| istering SurfinShield across all | 


desktops. 
Administrators can also set 
policies that let some ActiveX 


| controls in while blocking oth- 
| ers. “We needed to offer soft- | 
| ware that allows for specific 


controls to run software that 
uses ActiveX controls like 


| WebEx, while still enforcing 


security policies,” says Kroll. 
“SurfinShield does that.” 
Finjan’s SurfinGate protects 
e-mail gateways running on 
Windows NT, Windows 2000 


| or Unix servers. Finjan says its 


customers include the Internal 
Revenue Service, the European 


Parliament and the Pentagon. 


People Problem 

When installing SurfinShield 
Corporate on desktops, IT 
managers may need to over- 
come some user resistance, the 
Northwest retailer discovered. 


' “We also had to explain to our 


600 desktop users why we 
were installing this; we 
weren't trying to censor 
what they looked at, 

but rather we _ had 

to block applets that 

S posed a threat to our 
system,” says the com- 

pany’s security analyst. 

He did have a few other 
issues. The security signatures 
in SurfinShield were corrupted 


| when desktop users installed | 


Microsoft’s Internet Explorer 


5, but Finjan fixed this in its | 


current version, the analyst 


| says. And SurfinShield doesn’t 
| audit the behavior of macros. 


“What using SurfinShield 


| brought to my attention is that 
| when you attach to any Web 
| site, you are basically giving 


that Web site entire rights to 
your system,” says the security 
analyst. “We tell people, ‘Thou 
shalt not open executables.’ 
But they do it anyway. Surfin- 
Shield is now blocking that.” D 
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the buzz 


STATE OF 
THE MARKET 


| Riding the 
| Cybercrime Wave 


Finjan is at the right place at the right 
time. Gartner Inc. in Stamford, Conn.., 
estimates that the economic cost of 

| cybercrimes will increase 1,000% to 
10,000% through 2004, and attacks 
generated through executable e-mail 
attachments are an increasing part 
of the mix. 

Finjan operates in a specialized secu- 
tity space: Its products perform real- 
time monitoring of inbound active con- 
tent in e-mail attachments and block 
associated activity produced by these 
viruses. But because the software can 
accommodate different profiles, admin- 
istrators can allow certain types of 
ActiveX content to flow to the end user. 
This is called “white listing,” and a few 
competitors in the field also offer some 
degree of this customization. 

According to IDC analyst Christian 
Christiansen, the market for this type of 
software is hard to gauge because it’s 
part of larger offerings from companies 
such as Islandia, N.Y.-based Computer 
Associates International Inc. CA’s eTrust 
product, for example, works within the 
‘Unicenter TNG Framework to block 
some types of active content but nor- 
mally reacts only to known viruses. 

Some vendors of intrusion detection 
software are also adding blocking of 
active content for servers. For exam- 
| ple, Atlanta-based Internet Security 
Systems Inc. recently added such 
capabilities to its RealSecure intrusion 
detection software. 

As for offerings from traditional 
antivirus vendors, Gartner analyst Bill 
Malik says Symantec Corp. in Cupertino, 
Calif., and Network Associates Inc. in 
Santa Clara, Calif. offer similar capabili- 
ties but Finjan's is more advanced 


Pelican Security Inc. 


Chantilly, Va. 
www.pelicansecurity.com 


Pelican Security's SafeTnet desktop 
software also detects and isolates 
downloaded active content. But unlike 
Finjan, the company says its products 
let users secure applications and sys- 
tems by determining who has access 
to make changes. It blocks content by 
determining what can be changed, as 
opposed to what can be let through. 











WHERE FREEDOM AND CONTROL COME TOGETHER 


TO secure THE E-BUSINESS WORLD 


The unparalleled identity management capabilities of CONTROL-SA enable safe access to corporate 

data by setting high enterprise security standards while assuring business availability around the clock, 
across the globe. To enhance security and control, more businesses are turning to the CONTROL-SA 
security administration solution. With this suite your organization can benefit from end-to-end IT resource 


provisioning and user management solutions across complex, heterogeneous and e-business environments 


including integration into Directories Services, ERP and HR applications. With CONTROL-SA, your 


organization can get the head start it needs to win in the e-business era. 


How effectively are you managing your IT and security infrastructure? 4 
Do you meet GLBA and HIPAA requirements? Find out with our free <4, bmc 


assessment at www. bme. com/assessment/im/secu rity 


Assuming Guteess Ava iabiiey 








BMC Software, the BMC Software logos and all other BMC Software product or service names are registered trademarks or trademarks of BMC Software, Inc 
All other trademarks or registered trademarks belong to their respective companies. © 2001 BMC Software, Inc. All rights reserved 








5 i | Whodoesthe _ | U.S. Incident Response Services 
or voin | doe: se Servic 
best iob of | Expenditures by Service Activity 
E-Business | i J Key findings include the fact that services will experience growth respective 
protecti ng da ta to the number of cyberattacks, and security breaches and individual service 
| > = activity spending over time will increase or decrease at varying rates, accord- 
The threat from computer crimes and other online security breaches has on computers? ing to Pi coal and frequency. . — 
barely slowed, never mind stopped, according to a recent survey of 538 
security professionals in U.S. corporations that was conducted by the Big business Small business 1999 2000 2001 2002 
Computer Security Institute and the FBI's Computer Intrusion Squad. 7) ; Cyberforensics $14M $24M $36M  $45M 
85% < e Incident-response services $74M $94M $129M $152M 
Total $88M $118M SI65M $197M 


Reported breaches in the past six months 
Reported financial losses in the past six months 64% 


Could quantify financial losses 35% ———— 


Other 46 government \ fe A 
EOL a oe ITUS ert 


| governments 


ar 200 (265,589,940) viene Cieniiciaaai line 


Year 2001 (projected) (377,828,700) Z Only 0.4% of a compa- Sac uaiaaaanedletaieeanadeone €: 
ny’s revenue, on average, | 


Ga is dedicated to information a ane cerns ee 
e stu, : TC Servers down for more than one hour 9% 64% 
Theft of proprietary information $151 2M security in the L S. By tian .. > 
= ; 2011, however, that figure te probioros cen invses _ + 50% _ 66% 
Fraud $92.9M : will accelerate tenfold to Companies with data loss __ 31% _ 


- - SOURCE: ICSA LABS, CARLISLE, PA.; ICSA LABS 6TH ANNUAL COMPUTER VIRUS 
x 4% of revenue for l S. PREVALENCE SURVEY 2000 
het Ra Da all ‘ companies, according to T 10Vi 
Year 2000 2% w Gartner Inc.'s total cost op 
of ownership model for The most active viruses in the past four weeks, according to 
Year 2001 (projected) 36% ; iteration ancien MessageLabs Ld.,.a U.K.-based virus-detection agency. 
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; aa: Security Challenges 122 Nag TTS 15.265 
at} 1 J . 
ao : ol ’ _— W32/Hybris.B-n A 12.962 
1. Begin with a strong security policy as a VBS/VESWG.X-mmn EERE 6.850 
foundation for an architecture. The policy JS/Kak-m EEE 4.859 
should specify what, how, where and by VBS/ExtraHelp.A-m EI 3,687 
whom allowed activity is performed on W32/BadTrans.A-mm SM 2,947 
Denial-of-service z corporate servers or networks. W32/MTX-mm Hi 2,021 
attacks a u 2. Classify all assets and types of users. W95/Hybris.D-m HM 1,878 
; : 3. Reinforce the basic safeguards for VBS/LoveLetter.C-mm f 834 


physical and perimeter security. W97M/Marker.C | 317 
4. Deploy policy-based centralized 


t : management. : 
ae — of : 5. Focus on strong authentication and E-Mail Flu Season 
nn : | authorization. The following graph plots the ratio of viruses to e-mail during 
6. Commit to ongoing audit and review. the past 12 months. You can see that the ratio varies from one 
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M.A virus in every 1,400 e-mails in September 2000 to one in every 
RESPONSE 400 in May 2001. 
1. Employ security professionals (such as : 
Tiger/SWAT teams) remotely or on-site. 
2. Identify, contain and disconnect ac- 
cess to the infected portion of a network. 


3. Monitor and record network intruders’ 
Though the cost of intrusions is high, many companies still actions, when possible. 


haven't devoted many resources to protecting themselves. 4. Obtain images and data logs of net- 


Total annual cost of online security S15B | worked systems. 

breaches to corporations 5. Protect images and evidence on safe 
media. 

6. Assess economic damage. 

7. Clearly and concisely report the event, 


Percentage of companies that spend 5% or less 50% | countermeasures and status to senior 
of their IT budget on security for their networks management. 
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NUMBER OF E-MAILS PER VIRUS 


Percentage of companies that have yet to 
implement adequate security 30% 0 


SOURCE; MESSAGELABS LTD... GLOUCESTER U.K 











Which firewall is right for you? 
Faster and more secure? Slower and less secure? (Decisions, decisions.) 
An educated guess: You'd prefer a faster, more secure firewall. If that’s the case, your firewall should be from Symantec.” Symantec Enterprise Firewall,” for example, 


4 


is up to 150% faster than our competitor's enterprise firewall. It provides more Web throughput, more file-transfer throughput, and more connections per second, all 
without compromising security. 


Symantec Enterprise Firewall provides a greater degree of security because of our Application Proxy Technology. The most robust and secure approach, it all 
inspection of both the protocol and the application layer. This enables you to set granular control policies from desktop to gateway, a powerful feature that lets the right 
people in—customers, vendors, remote users—while keeping the wrong people out. 


Our firewalls can protect every tier of your computing environment. We provide solutions for the desktop, as well as a gateway appliance that’s easy to deploy and 
provides flexible implementation. And with our Security Services we can help you plan, implement, manage and maintain a secure firewall solution 


Symantec firewalls are a key component of Symantec Enterprise Security. Combining world-class technology, comprehensive service and global emergency response, 
Symantec Enterprise Security helps businesses run securely and with confidence 


Want to make an informed decision about your firewall? Visit symantec.com/ses7 or call 800-745-6054 x9GL1. 


Just for contacting us, we'll send you a free Security Reference Chart offering a wealth of information about network security.’ 


5 symantec. 





Protecting the integrity of data is 
only half the job of the corporate 
security manager. The other half is 
persuading employees to protect 
their data wherever it is. 


By Deborah Radcliff 


OST COMPANIES wouldn't 
think of putting information 
security, physical security 
and facilities into one unit. 
Yet 12 years ago, Eduard 

Telders made combining the 

management of these units 

a condition of his employ- 

ment at Pemco Financial 

Services in Seattle. 

Now, Telders says he knows of a 
dozen or so Fortune 500 companies, 
including Microsoft Corp., that have 
put physical and technical security 
management together as a single func- 
tion. And at both Microsoft and Pemco, 
the position was handed to a technical 
security manager, not the physical se- 
curity manager. 

It takes a unique technologist to 
make this leap. Managing these once- 
disparate groups calls for thinking far 
beyond “making the wires hum,” Tel- 
ders explains. This renaissance posi- 
tion calls for a manager who can think 
about how those wires open the com- 
pany to the risk of internal embezzle- 
ment and fraud, data theft and cus- 
tomer privacy violations. 

That means the corporate security 
manager must also stay up to speed on 
the physical risks to corporate data, 
such as building-access violations like 
“shoulder surfing” (following a badged 
employee through an open door). Tel- 
ders stays up-to-date through his 
memberships in organizations such as 
the American Society of Industrial 
Security and by maintaining his stand- 
ing as a certified protection profes- 
sional, which he received in 1999, 

Today, most investigations into secu- 
rity threats or violations require both 
physical and technical investigative 





techniques. For example, when Pemco 
had problems with employees sending 
hate mail and surfing the Web for 
pornography late at night a year ago, 
Telders’ team first tracked physical ac- 
cess to areas of the building 
through its key-entry sys- 
tem. Then they checked to 
see who was logged on in 
those areas at night. Finally, they exam- 
ined the log files on those systems to 
see what was being accessed. 

“All companies have... abuses of 
systems and other [human resources] 
problems,” Telders notes. “Computers 
have just become one of the tools to 


IN DEPTH: 


commit [electronic] indiscretions.” 
Along with knowledge of the IT and 
physical aspects of data protection, 
Telders must rally every employee 
around protecting the company’s data 
in all forms. For example, when users 
said no one would mess with their com- 
puters left on at night, Telders suggest 
ed that they cash their paychecks and 
leave the money on the keyboard over 
the weekend to see if it would still be 
there Monday. That clicked with them. 
“The first thing I learned about 
managing the physical was that com- 
munication is extremely important 
with users whom you are trying to put 
tight controls around,” Telders says. 
“They need to understand in their 


| own terms the whys and wherefor- 


es of how the entire security sys- 

tem works. And you must be very 

responsive to their problems.” 
Ironically, it’s the workers on his 

old stomping grounds, the IT group, 

who he has to keep the closest eye on, 

he says. They’re the ones trying to 

punch holes in the firewall to drop in 

Digital Subscriber Lines and download 
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the latest cool stuff. And they’re the 
ones who see his security policies as 
an opposition to them accomplishing 
their mission of making the wires hum. 
In fact, Telders has to occasionally 
quash rebellions among IT group em- 
ployees when they try to wrestle infor- 
mation security management away 
from Telders’ unit. 

Although Telders can empathize, he 
says his real responsibility is to the 


| owners of the data — the shareholders 


and the board. 

“We represent the owners of the 
data. And based on the rules of the data 
owners, we make determinations of 

what is and is not appropri- 
ate,” he says. D 


MORE IN DEPTH STORIES 
® See our chart on top-pay- 
ing regions and industries 
for IT security professionals. 
www.computerworld. 
com/securityonline 

IN DEPTH RESEARCH 

® Security training and education research links. 

www.computerworid.com/securitylinks 


Profile 


NAME: Eduard Telders 
TITLE: Corporate security manager 
REPORTS TO: Chief technology officer 


DIRECT REPORTS: 

® Security compliance officer (physical 
security management) 

® Safety and security coordinator (safety 
and physical security administration) 

® Senior information security analyst 
(engineering and design, penetration 
and intrusion detection, forensics) 

® Two information security analysts 
(daily administration/project work) 


REQUIREMENTS: 

® Basic understanding of operating 
systems, networking and IT security 

® Risk-management background 

® Physical security certifications and training 
® Master's degree (Telders’ is in biology) 

® Be adaptable, ethical and a strong busi- 
ness communicator 


The Guardian 
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www.aspensummit.com 


Featured Keynote 


Reed Hundt 


Former Chairman of the FCC 


Jerome Beaudoin 
Chief Information Technology Officer, Northstar Energy 
Enterprise Wireless in a High Risk Industry 


Kevin Brough 

Managing Director, Pacific Region, 
Nokia Networks 

Business Drivers for 
Enterprise Wireless 


Rebecca MacKinnon 
President, Chief Executive Officer and 
Founder, BeyondNow Technologies 


Transcending Barriers with 
Wireless Solutions 


Tom Magill 

Vice President Logistics, 
McKesson HBOC 

Mobile Computing Leads the 
Way to Quality 


Tyler Nelson 
Vice President Business Development, Research in Motion 
Wireless Technology FITS Your Networking Strategy 


Limited Attendance for 150 Senior Level Attendees 
Call (800) 575-3367 or visit www.aspensummit.com to request an invitation 


The Competitive Mandate for Instant Commerce 


Simon Pugh 

Vice President, Infrastructure and Standards, 
Mobile Commerce, MasterCard, International 
Loss of Innocence: Security in a 
Wireless World 


Ernest Teves 

Chief of Research and Development, 

M.D. Anderson Cancer Center 

The Perils and Pitfalls of Deploying 
a Wireless Strategy 


Ronald Willis 

Vice President Consumer Business, 

Cisco 

The “Instant” Internet: High-speed, 
Secure Access Anylime, Anywhere 


John Yuzdepski 

Vice President, Sprintpcs.com 

and Board Member, WAP Forum 
Power to Your People: Wireless 
Knowledge Transfer 
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What Three Components 
Set Delphi's Aspen Executive 
Summit Apart? 


1) 


2) 


The Focus! 


A single-track event dedicated to Enterprise 
Wireless — not a broad-based wireless show 
A focused high-level executive audience — 
not a large undifferentiated audience 

A speaker lineup of genuine CEO, vice 
president, director end users and luminary 
leaders — not a vendor agenda 


A strategic look at the business case(s) and 
implications of Enterprise Wireless — not the 
technical details 


The Community! 

At the Aspen Executive Summit you 

are not merely an attendee, you are a key 
member of the Enterprise Wireless community. 
Every aspect of this event is designed to help 
you create a life-long network of valuable 
relationships. From the intimate exclusive 
attendance, to catered lunches and evening 
networking receptions, in the elegant small 
resort of Aspen, Colorado, Delphi's Aspen 
Ex€cutive Summit offers.a fantastic opportu- 
nity for networking, socializing, and learning 
with the highest level of the leading Global 
2000 organizations 


The Experience! 

Surround yourself with the experience of 
senior level end users that understand the 
strategic impact of building Enterprise 
Wireless solutions! 

Participate in one of the most exclusive 
events in the wireless industry! 

Immerse yourself in a high-powered interactive 
environment that provides the best take-away 
experience and tools to make Enterprise 
Wireless a reality in your organization! 


tT) Pe Cmen 


Programmer/Analyst, Columbia 
MD. Analyze, design, develop. 
debug, optimize, implement & 
test and maintain software appli- 
cations and systems using Java. 
HTML, E-Commerce Systems 
Perl, Dreamweaver, J Server, J 
run, and Windows NT. Reqd 
B.S. or equiv. in Computer 
Science & 2 yrs related exp. 
M-F, 40hrs/wk + O/T. Send 
resume to S. Monaceili, HR Ref 
# 235, Maxim Group inc 
6992 Columbia Gateway Drive 
Columbia, MD 21046 


Prog/Analyst, Comp. Support 
Specialist, Comp. Engr. or DB 
Admin.: Design, develop & test 
computer programs using Java. 
C++, UNIX, Oracle, SQL Server. 
Min: BS in Comp. Sci. (or equiv.) 
& 1 yr exp. Senior Prog/Analyst, 
DB Design Analyst, Comp. Engr. 
or DB Admin.: Analysis, design 
& development of computer 
programs using Java, C++ 
UNIX, Oracle, SQL Server. Min 
MS in Comp. Sci.(or equiv.); or 
BS in Comp. Sci. (or equiv.) & 5 
yr exp. Resume: HR Dept., ITM. 
6 Kilmer Rd., Edison, NJ 08817 


SENIOR SYSTEMS ANALYSTS 


Req’s Master's deg in Comp Sci 
or Bach's deg in Comp Sci plus 
5 yrs prog resp exp as Systems 
Analyst or related occup. Resp 
for designing, developing & 
implementing software systems 
and Windows & Web dev’mt 
Req'd skills include Java, C++ 
Visual Basic. E-mail resume to 
knowlton @ teamtpc.com or send 
resume to Julie Knowlton 
Technology Professionals Corp 
1 lonia SW, Ste 400, Grand 
Rapids, MI! 49503. 


Prog/Anaiyst, Comp. Support 
Specialist, Comp. Engr. or DB 
Admin.: Design, develop & test 
computer programs using Java, 
C++, UNIX, Oracle, SQL Server. 
Min: BS in Comp. Sci. (or equiv.) 
& 1 yr exp. Senior Prog/Analyst 
DB Design Analyst, Comp. Engr. 
or DB Admin.: Analysis, design 
& development of computer 
programs using Java, C++, 
UNIX, Oracle, SQL Server. Min 
MS in Comp. Sci.(or equiv.); or 
BS in Comp. Sci. (or equiv.) & 5 
yr exp. Resume: HR Dept., ITM. 
6 Kilmer Rd., Edison, NJ 08817. 
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SOFTWARE ENGINEER: The 
Software Engineer will work in a 
small team of Engineers to code 
and test applications on a Win- 
dows platform developed using 
C and VC++. Will design and 
develop software for the utility 
industry, using C/C++, employing 
component based enterprise 
solutions. Will develop a web 
based Graphical User Interface 
(GUI) using HTML, DHTML or 
Java. The Software Engineer will 
also use Multi-threading and Inter 
process communications. Re- 
quirements: B.S. or equivalent in 
Computer Science, Electronics. 
Electrical Engineering or a related 
field and four (4) years experience 
in the job offered OR in software 
application engineering for the 
utilities industry. Demonstrated 
expertise using two of the fol- 
lowing tools: VC++, RDBMS 
ODBC, MTS, MSMQ, and XML 
Offered salary is $74,000/year 
for full-time employment (min. 40 
hours per week) and standard 
company benefits. EEO. Submit 
2 resumes and respond to Case 
No. 20002249, Labor Exchange 
Office, 19 Staniford Street, 1st 
Floor, Boston, MA 02114. 


E-Business Solutions Consultant 
-Design/develop/code/test 
webproEX software (Webspeed/ 
Progress/MFG/PRO based e- 
business solution), design new 
modules, maintain old releases. 
assist Project Mgr to release 
new software versions, & support 
clients for webproEX customiza: 
tions. Bachelor's degree in 
Computer Science or Engineer. 
ing req'd & 1 yr experience in job 
offered or as Software Developer 
or Programmer req'd. Must be 
proficient w/ Progress Version 6 
or higher/ Webspeed/MFG. 
Pro/Javascript/HTML. 40 Hrs 
wk, $75,000/yr, OT as needed 
Apply to: F. Garmon, Bravepoint 
5875 Peachtree Industrial Bivd 
Norcross, GA 30092, Ref: DG 


Programmer/Analyst. Dsgn, dvip 
& impimt commercial s/ware 
applics using C++ prgmg lang. 

commercial applic frameworks, 
& object-oriented methodologies 
in C/S d/base envrmt; identify, 
dsgn, dvip & impimt object- 
oriented & generic reusable 
applic components & parts 
review & re-factor existing code 
base to improve code quality & 
components’ reuse rate & to 
resolve performance/resource 
consumption problems. BS in 
Math, Comp Sci, Physics, Eng or 
rel. field + tyr exp in job offd or 
rel. occupation such as S/ware 
Engr or similar duties under 
different job title. Exp to incl 
MacOS &/or Win 95/NT & C++ & 
object-oriented prgmg. Demon- 
strated ability to analytically 
solve problems & communicate 
clearly. 40 hr/wk, $39K/yr. Must 
have proof of legal auth to work 
in US. Send resume to IA Work- 
force Ctr, 1700 S. 1st Ave., Ste 
11B, PO Box 2390, lowa City, IA 
52244-2390. Pls refer to JO 
1A1101409. Employer paid ad. 


Database Analyst. Responsible 
for designing, implementing and 
maintaining database, software 
tools and documentation for 
Internet based financial appli- 
cations. Must have Master's 
degree in Finance, Accounting 
Information Systems or related 
field. Must have knowledge of 
financial data analysis, SQL, 
ASP, C, and Visual Basic. Send 
cover letter and resume to 
Stockpoint, Inc., Attn: Ronald E 
Stablein, 2600 Crosspark Road, 
Coralville, lowa 52241 
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SYSTEM ANALYST to design 
develop and analyze 


using Visual Basic, Oracle and 
object oriented programming 
interface between COBRA (We 
com) and Primavera Enterprise 
using Visual FoxPr Jevelor 
and support invoicing program for 
COBRA using PowerBuilder 
FoxPro and Dbase. Require: B.S 
in Computer Science/Informatior 
System/Mathematics and twc 
years of experience. M.S. degree 
may be substituted for B.S. degree 
and 2 years of experien 
Salary: $75,000 per year, 8 am 
to 5 pm, M-F. Apply with resume 
to: HR Manager, 4U Services 
Inc., 1001 Virginia Avenue, Suite 
300, Atlanta, GA 30354 (Ref. Nc 
ATLOO1) 


SOFTWARE ENGINEER to 
provide consultancy in design. 
analysis, development and main 
tenance support for Customer 
Information System on IBM 
mainframe legacy systems using 
CICS, COBOL II, DB2, VSAM 
JCL and Easy-Treive; provide 
performance review of ine 
and batch application code 
analysis and performance tuning 
of SQL used in data processing 
programs. Require: M.S. in 
Computer Science and three 
years experience in the job 
offered or any experience pro- 
viding skills in described duties 
Salary: $65,000 per year, 8 am 
to 5 pm, M-F. Apply with resume 
to: CEO, F1, Inc., 359 S. Franklin 
Street, Valparaiso, IN 46383 
6423 


Sr. Programmer Analyst: Convert 
project specs using flowcharts 
diagrams and design techniques 
for business applications. Perform 
systems analysis, modify and 
enhance applics for Peoplesoft 
Financials by using People Tools 
Invision and Java. Provide busi 
ness processes enhancements. 
develop Chart fieid level security 
and web-enable applicati 

MS Deg in Computer Scien 

BS in Computer Application: 
years progressive experience 
Sai $75K/yr+Med Benefit. Resume 
to VP, Criterion Software LLC 
120 Wood Avenue South, #300 
Iselin, NJ 08830. 


Managing Consultant 

Direct activities of Application 
Consultants defining solutions 
and delivering services to clients 
deploying enterprise applications. 
Must have MS in EE, CS, CE or 
related. Employer will accept 
MS degree or its equivalent in a 
BS degree followed by 5 yrs 
progressive experience in the 
field. Send resume to: Erin Neagle, 
Human Resources, Recruiting 
Coordinator, Extraprise Group 
321 Summer Street, Boston 
MA 02210 


SENIOR CATEGORY ANALYST 
(Boca Raton, FL): Collect, scrub 
& classify retail customer sales 
& inventory data; assist in 
planogram process for lay retail 
customers; evaluate & critique 
customer SKU forecasts; also 
develop SQL queries for data 
reporting store and streamline 
current reports & analysis 
through automation tools such 
as Access; Req. MBA plus 1 yr 
exp. in job offered or as 
Merchandise Analyst. Resume 
to: Barbara Yamulla, Director of 
Human Resources, New Dana 
Perfumes, Corp., 470 Oakhill 
Rd., Mountaintop, PA 18707. 


Software Eng 
positions) sough 


Texas-based 


c 


yr s/ware exp. Respond 
>: HR Dept, Innovative Business 
5353 Alpha 


108, Dallas 


Web Services Director for 
benefits consulting firm. Leads & 
manages functional & technical 
integration of web-based bene- 
fits platforms with existing HRIS 
systems. Knowledge ERP, SAP. 
HR, ASAP. Peoplesoft. BS Com: 
puter Science/Math/Engineering. 
Resumes to: careeropportunities 


@cwcainc.com 


Network Engineer: configuration, 
installation & administration of 
network sys., standardize soft- 
ware; in-store & on-site repairs 
to network server or station 
Provides technical support & 
answers trouble calls. Req. BS or 
equiv. in CS or CIS w. proficiency 
in Windows NT, AIRNET & Novell 
$49,000/yr, 40 hr/wk, 8-5. Contact 
L Atlanta Electronics Inc. dba 
Leadman Electronics USA, Inc 
5470 E Oakbrook Pkwy, Norcross. 
GA 30093, fax: 770-448-0054 


Computer Support Specialist 
Provide technical assistance 
and support for system users 
Answer clients’ questions con- 
cerning NT Server/ Workstation 
WIN 95/98/00, software such as 
SBT and Peachtree. Provide 
database support for Access 
Oracle, SQL, and Visuai Basic 
BS and 1 year exp. (will accept 
MS) Send resume: HR, PC 
Warehouse, 70 East Palisades 


Avenue, Englewood, NJ 07631 


Software Engineers/Programmer 
Analysts wanted for IT consulting 
firm in New Hyde Park, NY. 


Duties require designing, devel- 
oping, maintaining, implementing. 
interfacing and customization in 
Oracle/Oracle Application Pack- 
ages using Oracle Applications. 
Oracle Financials, Oracle Projects. 
Oracle Manufacturing, Oracle 
Developer 2000, Designer 2000. 
Forms, Reports, SQL Loader 
PL/SQL, SQL Plus, C, Pro*C 
Unix, Windows and Oracle Tools 


Sftwre Engnrs require Master's 
degree or equiv in Comp. Sci 
Electronics, Physics, Math or 
Engg, & 3 yrs exp or Bach & 5 
yrs of prog exp. Progmr/Anlysts 
req Bach or equiv & 2-4 yrs exp. 


Respond to VP, S & S Information 
Systems, 33 Durham Road, New 
Hyde Park, NY 11040. Fax 
516-616-4092, e-mail: ssinfosys 
@aol.com 


SR SOFTWARE ENGINEER 


PRINCIPAL S¢ 


Bach 
yrs’ exp 
authorizatic 


IMAA 
An EOE 


priate 
Langevin, Hun 
Westford, MA 


kendra_langev 


Computer Support Specialist t 
install, modify and make min 
repairs to computer h 

and software systems and 
vides technical assistance and 
training to system users: diagnoses 
computer hardware, software 
and operator problems; performs 
Or instructs hardware and software 
installation, testing and repairs 
perform network designing 
Server installing and TCP/IP set 
ting. Enters and modifies cor 
mands and observes sys’ 
functions to verify correct system 
operation. Answers technica 
inquiries in person or via telephone 
concerning system operatic 
Writes or modifies settings 
commands for programs to run 
under different operating systems 
Req: BS in Computer Informatior 
Systems or a related field, ability 
to diagnose malfunction and failure 
of computer or co nents 
without using manufacturer's 
manual or specification. $24k/yr 
40hr/wk, 9am to Spm; Fax re 
sume to (770) 810-8893, attr 
Jennifer Hu 


Position: Senior Software Engi 
neer. Qualifications: Must have 
at least an MS gree in Com 
puter Science, Electronic 
Electrical Engineering or related 
plus at least 3 years job-offered 
experience. In lieu of MS di 


five years of progressive 
offered experience. Must have 
proof of legal authority to work in 
the U.S. Duties: Design, imple- 
mentation (in C language) and 
testing of multimedia Internet 
protocols such as H-323 based 
(a VOIP networking protocol) 
audio conferencing, which flows 
into Company's GSM product 
across various platforms. Utilize 
good understanding of operating 
system internals to analyze, debug 
& fix software defects identified 
as part of H-323 interworking 
function for GSM product, as 
well as a good understanding of 
the underlying hardware. Area 
of Employment: Colorado Springs. 
Colorado. Salary: $65,410 per 
year, 40 hour work week. Contact 
Send resume to Jim Shimada 
Colorado Department of Labor 
and Employment, Tower 2, Suite 
400, 1515 Arapahoe Street 
Denver, CO 80202-2117; refer 
to Order Number CO JL 1120059 


Computer Prof'ls: (1) Openings 
for Prog/Anal, Syst’s Anal, DB 
Admin or Computer Engg 
Design, develop & test computer 
progs for busn appl's using Java 
Lotus Notes, C++, VB, ASP. 
Unix, Oracle, SQL Server. BS in 
Comp Sci, Comp Engg, Info 
Syst’s or Elec Engg (or equiv) & 
1 yr exp. (2) Openings for Sr 
Prog Anal, DB Design Analyst 
DB Admin, or Computer Engg 
Design, deveiop & test computer 
programs for busn appl’s using 
Java, C++, VC++, VB, ASP. Unix 
Oracle, SQL Server. MS in 
Comp Sci, Comp Engg (or 
equiv) & 5 yrs exp. Resume: HR 
Dept, Fulcrum Logic. Inc, 313 
South Ave, Ste 102D, Fanwood 
NJ 07023 


TWARE 


Desig: 


onsul 


Related expe 


Naples, FL 

Send res 

Workforce a 
Workforce Pro 

P.O. Box 10869, Tallahass 
32302. Re: JOFL # 2 


SAP PROJECT 

Multiple openings 

SAP Project Engineer 

sibilities in 

design, development 4 impie 
mentation of information sys 
tems utilizing ABAP. Java, and 
UNIX; manage the customization 
and integration of SAP an: 
software ns; Mand 
customizatio SAP R/3 
mplement ERP packages 
manage the configuratior 
SAP software for all areas of 
corporate operations on a fully 
integrated, real-time online basis 
Travel as required to Heidelberg 
sites throughout the United State 
Monday - Friday. Must have a 
Bachelor's Degree f 
and/or education equ 
Mechanical Engineering 

years of progressive experience 
in SAP systems analysis, engi 
neerin yr related field 3 
Master's degree educationa’ 
and/or foreign equivalent as 
described and three (3) years of 
progressive experience as de 
scribed. Salary: $110,386/year 
and up, commensurate with ex 
perience. Must have 

legal authority to w 

United States. If interested, submit 
resume to 


s. Alic 
Manager, Hume 

Heidelberg USA, Inc. 

1000 Gutenberg Drive 


Kennesaw, Georgia 30144 





@ careers.com 


PROGRAMMER/ANALYST 
DATABASE ANALYST 


vices seeking candidates with commercial experience 


1d application programmers witt 
date should have a BS (or foreign equivalent) ir 


r a related field 


7 years com 


levelopers with mir 1 3 years commercial ex 
have an MS (or for equivalent) in Comput 


ar 


available 


in the San Francisco Bay area. 


Operating System - Unix, MS Windows, NT/95, OS/2 RDBMS - Sybase 
O sO or it 


Jer, Deve r 2C Designe 


Purchasing, Distribution Internet P 


Java Languages - C, C++,Per 


x Front-end tools - Visual Basic, Power 
t 2000 Applications - ERP, Inventory 
rogramming Tools - Web Servers, ASP, 


Hfshore Digital Se es provides competitive salaries, benefits, and a 


reased tomer nterested’ 


irage long-term employment and in 


Send a detailed me with post 


ind, project experience, and geographic pret 


shore Digital Services, Inc 


n Leandrc 


CA 94577 Tate = 


personne! @ odsi.com ll ITAL | 


BroadVision 


Personalizing e-Business 
A Comprehensive Blueprint 
iting the Business 


al of the Net 


-critical business 
robust and scalable 
nsact 


1 people 


act Mi 
Marketir 
stomer Support 
Publications 
Software QA 
Sales 
Product Management 


Administratior 


se see our website 
www. Droadvis' rT 
Staffing FAX: (650) 569-4334 


email: hr@ broadvision.com 


MAGNA INFOTECH, a fast 
growing consulting company 
is looking for Programmer 
Analysts, Software Consultants 
and Software Engineers with 
experience in one or more of 
the following 


Baan implementation 


UNIX: C, C++, Shell, AIX, HP 
UX, Solaris Admin, Networking 


AS/400: RPG/400, COBOL 
400, CL, BPCS, JD Edwards 
Synor 


WINDOWS: VC++, VB, PB. 
MFC, OLE/COM, Admin 


REAL TIME: Microprocessor 
RTOS Programming 


INTERNET: Java, Javascript 
CGI, Perl, WAP. Admin, Active 
X, ASP 


DATABASE: Oracle, Informix 
Sybase, DB2 Admin Developer 
2000, Designer 2000 


Sales Manager / Marketing 
Manager; must have at least 2 
years of Sales experience, BA 
Degree or Foreign Equivalent 
Degree and basic computer 
skills 


Multiple positions exist at 
various sites across the US 


If you are interested please 
mail your resume clearly 
mentioning the reference 
number Cwo0300 to 
Attention Recruiting Dept., 
Job Ref. CW1000, Magna 
Infotech Ltd. 1 Padanaram 
Rd., Suite 208, Danbury, CT 
06811-4833. 


Fat 


Software Project Manager wanted 
by software R&D co. in Culver 
Must have bachelor's 
degree in computer sci, eng! 
neering or rel. field + 2 yrs exper 
with complex, large scale s/w 


projects through all phases ir 


UNIX envir. using C, C++ and 
obj. oriented devel. Will supervise 
2r s/w professionals. Send 
o Human Resources 

400 Corporate Poin 


Culver City, CA 902 


Computer Positions: Programmer 
Analyst, System Analyst, Soft 
ware Analyst, Network Analyst 
Systems Engineers, Network En 
gineers, Database Analysts, IT 
Marketing Specialist, and other 
technical professional. Multiple 
openings. Nationwide client sites. 
We need professionals with at 
least a bachelor's degree in 
computer science, engineering 
mathematics, statistics, related 
technical fields, or any business 
and 1+ year of relevant experi 
ence. Fax resumes to 212-244- 


5082, att: Dept. MIL 


SOFTWARE ENGINEER to 
design and develop database 
systems using Oracle Developer 
and web development tools; and 
design, develop, analyze and 
implement client/server and web 
based applications including GU! 
design and development using 
PL/SQL and SQL"Plus on various 
operating systems. Require 
Maste's in Computer Science. 
Electronics Engineering and 
three years experience in the job 
offered or any experience providing 
skills in described duties. Bach 

elors and five years experience 
may be substituted for Masters 
and three years experience 
Salary: $67,050 per year, 8 am 
to 5 pm, M-F. Apply with resume 
to: Director, Systems Development 
Georgia Department of Natural 
Resources, 205 Butler Street 
Suite 1252, Atlanta, GA 30334 


Software Developer. Develop 
and customize base-line web 
applications for Human Re- 
source Management. Responsi- 
ble for security administration of 
database, quality assurance 
and customer support. Must 
have B.S. in Computer Science, 
Engineering, or related field, 
2 years’ experience as Software 
Developer or any suitable 
combination of education, training 
or experience. Must have knowl- 
edge of ASP, JavaScript, HTML 
VBScript, Access, and SQL 
Send resume and cover letter to 
HRSoft, LLC, Attn: Paul Brook, 
505 North 4th Street, Fairfield, 
lowa 52556 
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Application/Graphical Web 
Developer needed in Dallas. 
Texas area for website and web 
application development, spe 
cializing in web graphics/human 
interface design and application. 
business material graphics 
design, graphical user interface 
Standards research development. 
client-side/server-side web pro 
gramming, database programming 
and web development using 
graphical tools for image editing 
and graphics design, programming 
environment tools for software 
development. Requires 3 years 
in job offered. Send resume tc 
RiverRock Systems, P.O. Box 

0 Addi 5001-0990 

) Code: GUIWD. 


Systems Engineer needed t 
research, design and develor 
computer software systems, ir 
Conjunction with hardware product 
requirements, applying principles 
and techniques of comp 
science, engineering and math 
ematical analysis. Degree and 
experience required. Send 
resumes to Michael T. Wilson 
President, Joseph Graves 
Associates, Inc., 3077 East 98th 
Street, Suite 160, Indianapolis 
IN 46280-1970. 


Software Engineer. Plan, develop. 
test and document PC-based 
software modules to implement 
the intelligent process optimization 
algorithm using C++, and Win 
dowsNT/2000. Develop informa 
tion retrieval and database 
processing application and 
customized graphic user inter 
faces. Must have B.S. in Com 
puter Science or related field 
and knowledge of C++, COM+ 
Visual Basic, SQL, ASP and 
HTML. Send cover letter and 
resume to Stockpoint, Inc 
Attn: Ronald E. Stablein, 2600 
ark Road, Coralville, lowa 


Full time Web Designer Respon 
sibilities include: Design, develop 
and implement website applica 
tions for prominent technologically 
advanced financial services 
administration company. Construct 
HTML pages utilizing Jscript 
JAVAScript, CGI Script, and 
FrontPage 98; design and develop 
cascading tile sheets and animat 
ed pages utilizing Dreamweaver 
and Adobe PhotoShop; and 
design and test page links. Must 
have a Bachelor's degree or its 
foreign and/or educational equiv 
alent in Computer Science and 
two years of experience in web 
development or software engi- 
neering. Must have proof of legal 
authority to work in the United 
States. Salary: $ 68,203 per year 
and up, commensurate with 
experience. If interested, submit 
resume to 


Ms. Katherine Kyle 
Warranty Corporation of America 
3110 Crossing Park Road 
Norcross, Georgia 30071-1367 


Software Eng. positions in Clear 
Lake/Houston TX 


System Software Eng.-one-year 
exp. & Masters degree 


Application Software Eng.-Bach- 
elor's degree 


Send resume and salary require- 
ments to Automation Solutions, 
Inc., 930 Gemini, Houston, TX 
77058, or email: autosol@ 
autosoin.com or fax: 281-286- 
6902 


Software Engineers, Programmer: 
Analysts & Jr. Programmer/Ana- 
lysts needed in A, B, C, D, E, F, 
G: (A): CICS, DB2, Adabas, VSAM 
Cobol, Natural; (B): Rational Rose 
OMC, Java, Weblogic, XML 
Oracle, SQL Server; (C) Oracle 
7.x/8.x, Peoplesoft and related 
tools; (D) Java, C, C++, Oracle & 
related tools, (E) Java on AS/400. 
DBUSO, Surveyor/400, Sublices. 
HTML, Javascript (F) Mainframe 
Applications & EDI using RPG 
400, SQi 400, AS 400, Java 
and related internet/web tools 
(G) Multiple positions. These are 
consulting positions requiring 
trav Contact: HR, Prosoft 
Technologies, Inc., 3300 Buckeye 
Rd., Suite 379, Atlanta, GA 
30341. EOE 


Systems Administrators needed 


to configure, administer, maintain 


& manage various servers & 


systems. Apply 


Consultants, 601 Jefferson Rd 


Parsippany, NJ 07054 


User Support Analyst. 8a-5p. 40 
hrs/wk. Analyze, test & resolve 
comp h/ware & s/ware problems 
of users related to dsgn & 
impimtn of bus applics, prgms & 
operating systm using Oracle 
VB, SQL, dbase & Lotus 1-2-3 
Bach or equiv deg in Bus Admin 
Comp Sci, Electrical, Electronics 
or related field of Engg. 2 yrs exp 
in job offd or as Systms/Prgmr 
Analyst. Send resume w/ref #003 
to: Dushyant Patel, President 
Nextgen Infotech, Inc., 2090 
Beaver Ruin Rd., Ste 600 
Norcross, GA 30071 


SOFTWARE ENGINEER sought 
by computer consulting co. in 
Houston, TX. Must have M.S. in 
Comp. Sc., or Electrical Engi 
neering plus 6 mos. exp. Respond 
by resume to Mr. J.L. Ogle 
President, Network & Program 
ming Services, Inc., 900 Thread 
needle, Suite 450, Houston, TX 


77079 


Full time Computer Consultant 
responsible for design, write and 
document new on-line and batch 
applications for the AS/400 
system using RPG/400 ILE, CL 
Query/400 and SQL programming 
languages. Develops interfaces 
between systems in a multi-plat- 
form environment, specifically 
between IBM AS400, IBM Main- 
frames and PC platform. Must 
have a Bachelor's degree in 
Computer Science and 2 years of 
experience in the job offered or 
position with same duties. Salary 
$70,000/yr. Send resumes to: 
Laura Kelley at ACSYS Inc. 2400 
Lakeview Parkway, Suite 500 
Alpharetta, GA 30004 


ITcareers Sales Representative 
or Janis Crowley 


1-800-762-2977 
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It may not be grabbing the headlines as much as 
other stories, but there are a bevy of IT companies who 
continue to face that great, though tough, situation of 
being somewhere between “whoa” and “wow” - slow 
this thing down and let’s race to keep up. 

The majority of such companies are those using the 
Internet as an enabler for a strong business proposition - 
from helping job seekers to cutting the red tape involved 
with everyday business operations. 

Govjobs.com of Costa Mesa, CA, falls within the first 
category — using the Internet to enable job seekers to scan 
the opportunities of the United States’ largest employer, its 
federal, state and local government agencies. 

Govjobs.com lists jobs from recreational coordinators 
to IT professionals, pairing up job applicants with the jobs 
listed by employer agencies. In addition, the site provides 
pay tables for federal positions and tips on landing jobs with 
the government agencies 


IT CAREERS 


Advertising Supplement 


The second category is one filled by Freddie Mac, a 
leading mortgage broker based in McLean, VA. Freddie Mac 
provides underwriting products to assist mortgage lenders in 
providing home loans to their customers. “One of our goals 
is to respond to mortgage lenders and brokers on a purchase 
decision of a mortgage within two minutes,” says Dwight 
Handon, senior director of e-business, infrastructure and 
integration at Freddie Mac. “This requires the most savvy of 
information technology for our customers and for the 4,000 
people who work here.” 

Jason Whitley, president and general manager for 
GovJobs.com, says his company continues to hire up to meet 
market demand for the three-year-old company. “There is 
the potential for ground-floor opportunities,” he says. The 
company will be extending its services in 2002 to include job 
fairs to be held across the country and web development for 
smaller city and township governments who don't currently 
have an Internet presence or online employment pages 
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“We are looking for dot-com enthusiasts with, or 
without, human resources or staffing backgrounds who want 
to learn about and work with the nation’s government 
Whitley says. “We'll be hiring executive management, opera 
tions and customer service, systems and security personnel 

The IT challenges at Freddie Mac range from automat 
ed underwriting to a dark fiber network on the Freddie Mac 
campus to deploying applications using JAVA technology 
“From a data warehousing standpoint, we are making 
terabytes of data easily accessible to all employees 
anywhere at any time,” says Handon 

In addition to being named one of Computerworld’s 
“100 Best Places to Work in IT” and being recognized for its 
benefits and compensation program, Freddie Mac, along 
with ESI-International, designed a seven-course training 
program to significantly increase employees’ project 
management skills. “The program provides our employees 
with a master’s certificate in IT project management from the 
George Washington University,” explains Handon. “This 
program, along with the many others we offer, demonstrates 
our commitment to training and development for our 
employees.” Through May, 29 employees have graduated 
from the program and another 140 are currrently enrolled 





For more job opportunities with Internet firms, turn to the 
pages of ITcareers. 
© If you'd like to take part in an upcoming !Tcareers feature, contact 
Janis Crowley, 650.312.0607 or janis_crowley@itcareers.net. 
© Produced by Carole R. Hedden 
© Designed by Aldebaran Graphic Solutions 
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Chief Technology Officer. $6,010 
$7,670/mo. This is the Depart 
ment Head position for the 
Information Systems Depart 
ment. Requires at least 5 yrs 

progressively responsible expe 
rience in systems 
design and business applic 
includ 


ence in program management 


TTT ALLY 


analysis. 
g demonstrated € 


and supervision of technical staff 
AND a Bachelor's Degree in 
technology, business or public 
administration. A Master's Degree 
is highly desirable. Closes 7/30/01 
See www.co.shasta.ca 


call (530) 225-5078 for 


* Marietta, GA * Phoenix, AZ * Troy, MI « 


cations, job flyers de 
qualifications, important a; 

tion information and attribute 
living and working in 


County. EOE 


is 


Shasta 


a Ugeh-\ (<1) 
by more 
hiring 
managers 
than any 
IT space 
in the 
world. 
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INFOSYS (NASDAQ: INFY) is an acknowledged world leader 
in software consulting, with an excellent reputation for qual 
ity solutions, customer satisfaction and employee retention. 
We are hiring high-caliber professionals with exceptional 
conceptual and communication skills. 


Business Development Managers 


Hunter profile - will prospect for new business; additionally will establish and manage 
long-term high-value relationships with targeted customers. Candidate must have BS/BA 
in technical, engineering, CS related field or significant management experience + 
MBA/MS-in-management or equivalent. Positions open at listed branches. 


Business Consultants 


Will handle IT-strategy consulting engagements in e-business, ERP, CRM etc. Must have 
strong consulting background with BS/BA in technical, engineering, CS related field + 
MBA/MS-in-management or equivalent 


Business Systems Analyst 


Will leverage strong understanding of business domains and processes to help forge IT 
based solutions for complex business problems. Must have Master's degree or equivalent 
relevant experience. For senior level position, MA degree or equivalent and 3+ yrs. exp 
or equivalent is required 


Software Development Managers, Project Leads, 
Senior Systems Analysts, Systems Analysts & 
Ue mE eS 


Conduct application development at various levels of complexity and team participation 
Seeking candidates for our Software Development Manager positions with MS degree 
and 5+ yrs. exp. or BS degree and 8+ yrs. exp. Seeking candidates for our senior level 
positions with MS degrees + 3-5 yrs. exp. Seeking candidates for our entry level 
positions with BS degree. 


Technical and consulting positions rotate through worksites nationwide 


When applying, please mention position and location preference. We offer competitive 
compensation, excellent professional development and benefits. Apply to: Human Resources, 
34760 Campus Drive, Fremont, CA 94555. E-mail: careers_usa @infy.com. EOE 


www.infy.com 
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Science, Mathematics. 


2 years 


the job offered or 


years’ experience in the deve! 


pment of SAP R/3 modules for 
r als, manufacturing and 
distribution. All of the stated 


sst have 
nk Enablir 


V/3; develor 


nts, reports 


PF 


e analysis & 
orograms & 
must include 

f SAP Ri 
so accept 
Jeemed equiv 
Jegree or 


distributior 
le in an aut 


tion facility. Develop 


ing Interface 

onfig 

Develor 

s, interfaces, 

nversions in SAP R/3 
performance analysis 

;0f SAPR grams & 
gs. Enhance the LiFO, API 


ackflust m 


scalable 

tients 
m functional 

specificatio 
nentation and 
esting and 
testing; perform debug 
g and troubleshooting; ensure 
standards compliance; and provide 
al support 
clients 
Computer 

d field 
quivalent to a 
Jegree in Computer 
r related field required 
years of work experience 
5 a software »grammer/ana 
r in software desic 

pment also required. The 
2) years of work experience 
related work experience 
uld include tow (2) years of 
bo! and JCL and one (1) year 
Adabas/Natura Salary 
r year. Work 
ours: 8 a.m. to 5 p.m., 40 hours 
r week. Send resume to 

Agency for Workforce Innovati 
ALC/Unit, P.O. Box 10869. 
Tallahassee, FL 32302-0869. 

Job Order# FL-2189525. EOE 


Better address? 


sT-Lacywmmep tits] 3 Ul 


SOFTWARE ENGINEERS. 


CONSULTANTS, PROGRAMMERS, 


PROGRAMMER ANALYSTS. 
PROJECT LEADERS 


pid growth, we 


BOL/400 DBA Oracle. 
& IMS CLIENT SERVER 


Attn: Recruiter 
Wizard Business Systems, inc 
1711 West Greentree Dr., #104 
Tempe, AZ 85284 
Ph: 480-705-6921 
Fax: 408-705-6926 
E-mail:recruiter@wizardbusiness.com 
An Equal Opportunity Employer 


Data Architect/DBA 
S and complex s/w 
must include data 
3 and ETL. Must work in 
m using dev and proj mgmt 
be 
Certified & have proficiency with 


Cands must 
current releases and s:Ora 
Developer, Designer, D 
Server & Enterprise Mar., JDBC 
& ODBC. Re: ncludes: dw 
framework design, log & phys dt 
design (OLTP and DSS > & 

ols installation and customiza 
on, dt tuning. Manage 
d monitor db: perf and user 
mgmt, review and optimize 
stored procs and triggers, backuf 
and recovery procs inc disaster 
recovery, config Oracle Wet 
Servers & db security mtce. SQL 
and PL/SQL, UNIX (Solaris 
Linux, HP-UX, AIX) | 
Scripts, Win NT/2000. MS in CS 
or App. Math + min.3 years exp 
Send 2 copies of resume to 
GRT Co ept. F 77 Summer 
S 3, CT 06901 


SYSTEMS ANALYST: Respon 
sible for gathering and analyzing 
user requirements to automate 
processing or to ir existing 
computer systems. Using knowl 
edge of hardware, software 
programming languages and 
operating systems including 

ywiedge of Web based systems 
architecture, relational database. 
UML (Unified Modeling Language) 
and Object Oriented Analysis 
and Design methodology. Ability 
to plan, implement, test and 
troubleshoot system software 
ability to transform user require 
ments into technical specifications, 
ability ‘o train users during 
impleme::iation phase. Minimum 
of 2 years experience in job 
offered. Competitive salary, full 
time job, Mon — Fri (may require 
evening and weekends), posi- 
tions available in Coral Springs 
FL; Atlanta, GA; Albany, NY. No 
calls, mail resumes with reference 
number 010 att: L. Fernando 
Jaramillo, Softtek: 2900 University 
Drive, Coral Springs, FL 33065 


Better training? 


IT CAREERS 


DATABASE ADMINISTRATOR 
to administer, develop, analyze 
test, implement and maintain 
Oracle databases using Oracle 
PL*SQL, SQL and PowerBuilder 
under SUN Solaris, AIX, Linux 
UNIX and Windows 95/98/NT 
operating systems; Administration 
duties include installation of 
Oracle databases and develop. 
ment tools, backup and recovery, 
creation and monitoring of users 
tables, indexes, constraints, views, 
synonyms, role and privileges. 
Tune databases for optimum 
performance and perform trou 
bleshooting. Require: B.S. degree 
in Computer Science, and Engi 
neering discipline, or a closely 
related field with five years of 
progressively responsible expe 
rience in the job offered or ad a 
Programmer/Analyst. Extensive 
travel on assignment to various 
client sites within the U.S. is 
sired. Salary: $75,000 per 
year, 8:30 am to 5:00 pm, M-F 
Send resume to: Sherry D. Luck 
esident ABT Solutions, 8517 
South Park Circle, Suite 218. 
Orlando, FL 32819; Attn: Job AT 


Software Engineer 
Des, dev and imp sophisticated 
web based applications. Plan 
and dev IT sys and multi-tier 
distributed computing s/w apps. 
Exp must inc proficiency in OOD. 
OOA & modern s/w methods for 
bidg sys arch & apps. Cands 
must be Sun Certified in Java & 
have exp with current techs 
Java, JDK, J2EE, EJB, Serviets 
JSP, Java Beans, JFC/Swing 
JDBC, ODBC, CORBA, COM 
DCOM. Must work in a team 
1 multiple platforms inc Sun 
solaris & UNIX. Adv knowledge 
of RDBMS systems esp Oracie 
required. Resp inc app life cycle 
dev, imp and rollout. Ability to 
produce tech doc req. MS in CS 
»r App. Math + min. 3 years exr 
Send 2 copies of resume tc 
GRT Corp, Dept. FG, 777 Summer 
St Stamford CT 06901 
EOE/M/F/D/V 


Senior Consultant-Team Leader 
Lead team in the design, deve’ 
opment & testing of software for 
internet applications. Database 
design. Tools: Visual Basic, MS. 
Access, MS-SQL Server, Active 
Server Pages, HTML, Windows 
NT. M.S. in Comp. Sci. or Mgmt 
Info. Systems + 1 year exp. in job 
offered or as a Consultant req'd 
Prev. exp. must include Visual 
Basic, SQL Server, Active Server 
Pages. 40 hrs/wk, 9am-5pm 
$62,000/year. Applicants must 
show proof of legal authority to 
work in the U.S. Send 2 copies 
of resume & cover letter to Illinois 
Dept. of Employment Security, 
401 S. State St.-7 North, Chicago 
IL 60605. Attn: Leila Jackson 
Ref# V-IL 2 Employer 
Paid Ad. 


Sr. Oracle Production Database 
Administrator sought by Co 
involved in development of content 
for integrated IT learning solutions 
in Rochester, NY. Must have MS 
in eng. or computer discipline 
and 5 yrs software eng. or 
development exp. Respond to 
Lorrie Carter, HR Dept., Element 
K, 500 Canal View Bivd 
Rochester, NY 14623, e-mail to 
oraclejobs @elementk.com, or 


fax to (716) 295-9121 


SOFTWARE ENGINEER tc 
design elop, test and imple 
ment application software in a 
client/server environment using 
C.C Visual C++, PowerBuilder 
and Oracle on Windows NT and 
Novell platforms. Require: B.S 

degree in Computer Science; 
Engineering, or a closely related 
field with five years of progres 

sively responsible experience in 
the job offered or as a Programmer 
Systems Analyst. Extensive travel 
on assignments to various client 
sites within the U.S. is required. 
Competitive salary offered. Send 
resume to: Sherry D. Luck 

President, ABT Solutions, 8517 
South Park Circle, Suite 218 
Orlando, FL 32819; Attn: Job JD. 


SEEKING DATABASE 
CONSULTANT. The City of 
New York/Parks & Recre 
ation seeks a Database 
Consultant. Bachelor's 
Degree in Computer Science 
Engineering, Business, or 
related field & background 
in Oracle and MS Access. 
Send or fax resume to 
M. Brenner, MIS Director. 
CNYPR, 16 W. 61st St., 9th 
Floor, New York, NY 10023 
Fax: 212-830-7913 


Headquartered in Reno, Nevada. 
Five Nine Solutions is the leader 
in eTesting for eBusiness. We 
currently have excellent oppor 
tunities in our Reno office for 


Project Engineers 
Senior Consultants 


We offer an excellent compen 


sation and benefits package 
apply, please send a cover letter 
and resume t 


Five Nine Solutions, In 
Attn: Human Resources 
9490 Gateway Drive #206 
Reno, NV 89511 
Tel D2 
Fax 5-852-1088 
Email: info @ fiveninesolutions.corr 


BANKING/TECHNICAL 
CONSULTANTS 
Corillian Services, Inc. of Los 
Angeles, CA, an international IT 
Consulting company, has entry 
level and experienced openings 

for the following positions 
Business Analysts 
Programmers 

Please send resume to: gvarghese 
@hatcherassociates.com 

Website 


w.hatcherassociates.com 


2B Workforce, Inc., a consul 
and information technology com: 
pany, is looking for Consultants 
and Senior Consultants with 3 
years of IT industry exp plus 1 
year of Siebel exp for work 
throughout the U.S. Applicants 
must have Masters degree 
Competitive salaries. Please 
submit resumes to Bob Bailey at 


rbailey @ b2bworkforce.com 


Celitec ystems, Inc. has imme- 
diate multiple openings for exp 
IT professionals in the following 
areas (various skills combination 
reqd.) Pro*C, Unix, Oracle 7.x 
SQL*Forms, C, VB, Developer 
2000, SQL Server, DB-2UDB. 
Some positions require MS or 
equiv. CS, Engg, Math, Bus. 
Admin, or rel. field while others 
require BS or equiv. as above 
Pay commensurate with exp. 
Foreign equiv of educ. and/or 
combination of educ./exp will be 
d. Travel/relocation reqd. 
Resumes & salary expectations 
to HR, 6200 The Corners Pkwy, 
Suite 315, Norcross, GA 30092 


Experio Solutions has openings 
for the following pos 


Enterprise Technology Solutions 
Sr. Consultant — San Jose 
Sr. Consultant — San Francisco 
Manager — San Jose 
Manager — San Francisco 


Customer Relationship 
Management 
Sr. Consultant — Boston 


Supply Chain Management 
Sr. Consultant — Atlanta 


Please send resumes to 
HR Department 
1717 Main Street 

Suite 500 
Dallas, TX 75201 


SOFTWARE DVLPMT ENG Pro 
gram for projects in video, 
television industry. Design, dvip. 
maintain video software. Bache: 
lor's Computer Sci, Eng. or equiv 
+ 2 yrs exp in job or as Pro 
grammer/Analyst. Exp w/ MS 
Visual C++ & MFC in Windows 
NT reqd. $63K/yr. Send resume 
to: B. Sisley, Video Technics, One 
Corporate Bivd, #220, Atlanta 


GA 30329. 


Vision Consulting USA, an 
e-business and _ technology 
company, is seeking qualified 
candidates for the position of 
Database Architect Administrator. 
Qualified candidates should 
possess a Bachelor's Degree in 
Computer Science, Engineering 
or a related field and relevant 
professional experience, including 
strong database design and 

plementation of databases 
and related technologies. Send 
Resume to: Sue Ellen Cooper- 
Jones, Recruiting Manager. 
Vision Consulting USA, Inc., 110 
East 42nd Street, Suite 615. 
New York, NY 10017 


Sr. Systems Programmer-Install 
analyze, design, test, and 
document new and existing 
operating systems. Using an IBM 
Mainframe OS390, Assembler, 
REXX, CLIST, CICS, SMP/E 
RACF, TCP/IP, LAN and WAN, 
Unix, DFMSMS/HSM, HCD/IOCP, 
COBOL. BS degree in Info Tech. 
2 yrs of exp or 2 yrs training with 
MVS/OS390. On-call 24hr. 
$62,000. Send resume to South 
Dakota One-Stop Career Center, 
Po Box 5778, Sioux Falls, SD 
57117-5778, phone 605/367- 
5300, fax 605/367-5308. Ref 
#SD0831536 











ENGINEERING 

Informatica Corporation, a grow 
ing high tech company that 
produces datamarts, has 
openings at all levels for SW 
Engineers, SW/QA Engineers 
D-Base Admin, Prof. Services 
Consultants, Tech Support Engi 
neers, Openings at the following 
locations: Palo Alto, CA; Los 
Angeles, CA; Piano, TX; Iselin 
NJ; New York, NY; Washington 
D.C.; Schaumberg, IL; Atlanta 
GA; Boston, MA. Send/email 
resumes to: Informatica, Attn: P. 
Saadieh, 3350 W. Bayshore Rd 
Palo Alto,CA 94303; email 
psaadieh @informatica.com 


EOE 


Liquidxs.com has openings for 
Senior Programmer Analyst 
positions with at least two years 
of experience in any of the 
following skills: Java, Visual 
Basic, COM/DCOM, HTML 
DHTML, Oracle, ActiveX, SQL 


Server, and Windows NT. 

Some positions require a Bach 
elors Degree, others Masters 
Degree. Equivalent degree and 
experience is also 


Exc. Pay & Bnfts. Mail resume to. 


ssatov @liquidxs.com 


Talent is 
the fuel of 
the new 
economy. 


Fill up 
with 
ITcareers. 


If you want to 

ecm eos 

iE cae mae bY 
into our pages. 
Call Janis 

(Ore amrts 


1-800-762-2 


ITCAREERS 


where the best 


gef better 
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Continued from page 1 


Privacy 


mandates “opt-in” rules — re- 
quiring that companies get ex- 
plicit permission from 
sumers before they share infor- 
mation about them, said Tower- 
Group analyst Christine Pratt. 

In preparation for the July 1 
deadline, some large financial 
services firms spent millions 
of dollars on customer mail- 
ings and revamped databases. 
They’re also required to prove 
that their security systems are 
robust enough to prevent the 
unauthorized disclosure of pri- 
vate information. 

Bank One Corp. in Chicago 
had to consolidate more than 


con- 


Continued from page I 


Microsoft 


design remains to be deter- 
mined. The appeals court re- 
manded the case on June 28 to 
a lower court, and there is also 
the prospect of a settlement. 
But the appeals court decision, 
which upheld the finding that 
Microsoft used illegal means 
to maintain its monopoly sta- 
tus, raises some interesting 
possibilities for end users. 

Testimony by one large end 
user, Seattle-based The Boeing 
Co., played a key role in the 
government’s contention that 
integration hurt consumer 
choice. The appeals court 
ruled that Microsoft’s com- 
mingling of Internet Explorer 
code with the operating sys- 
tem is anticompetitive. The 
court said that “the commin- 
gling deters OEMs from pre- 
installing rival browsers.” 

A Boeing official, in a video- 
taped deposition and in docu- 
ments, testified in 1998 that the 
aircraft company had _ stan- 
dardized on Netscape Com- 
munications Corp.’s browser 
but said the integration be- 
tween Internet Explorer and 


JUST THE FACTS 


It’s the Law 


The Financial Services 
Modernization Act: 


| w Requires an opportunity for customers to 





opt out of sharing personal information 
with nonaffiliated third parties 


w Requires a clear disclosure by all financial 


institutions of their privacy policies 


40 databases into one to en- 
sure that privacy could be 
maintained across all affiliated 
companies, said spokesman 
Stan Lata. The total cost to the 
bank was in the “tens of mil- 
lions of dollars,” he said. 
Providian Financial Corp. re- 
cently completed the compila- 


the operating system couldn't 
be disabled. Supporting two 
browsers would increase costs, 
a Boeing official said. The Boe- 
ing official who testified de- 
clined to comment. 

Legal experts say the con- 
cerns raised by the court may 
ultimately be applied to media, 
instant messaging and other 
applications Microsoft is inte- 
grating with the Windows XP 
operating system, due in Octo- 
ber. “It’s not beyond the pale 
that they might have to compo- 
nentize XP to some extent,” 
said Donald Falk, an antitrust 
attorney at Mayer, Brown & 
Platt in Palo Alto, Calif. 

For instance, if Microsoft is 
ultimately required to enable 
PC makers to remove some ap- 
plications from the operating 
system or add others to it, end 
users may find it possible to 
purchase a Windows system 
more to their liking. 

Mitch Blackburn, vice presi- 
dent of operations at rental car 
firm ANC Rental Corp. in Fort 
Lauderdale, Fla., is one such 
end user. 

Because of the system de- 
mands of the Windows operat- 
ing system, ANC has “to buy a 
pretty large workstation with 
lots of memory, fast proces- 





tion of a privacy database that 
contains responses from mail- 
ings to 17 million customers. 
The bank spent 18 months 
and “several million of dollars” 
updating and consolidating al- 
most a dozen databases and up- 
dating software, Providian offi- 
cials said. Now the challenge is 
to create relational databases 
that will automatically track 
how information is shared and 
who can solicit customers. 
Mark Loewenthal, chief pri- 
vacy officer at San Francisco- 
based Providian, said it will 
take months to “spec out” the 
project, tying up “significant 
amounts of the business and 
systems [department's] time.” 
Looming larger than clear- 


cut privacy and security provi- 


sions of federal law is a push in 


sors, lots of disk,” said Black- 
burn. If he could purchase a 
“light” version, “that would be 
really advantageous,” he said. 
ANC currently has more than 
12,000 workstations. 

But end users also said it 
would be difficult to begin 
switching to non-Microsoft 
products. 

Amy Courter, vice president 
of IT at marketing firm Valas- 
sis Communications Inc. in 
Livonia, Mich., said it’s unlike- 


ly the company would move | 


from Internet Explorer to 
Netscape because the compa- 
ny hadn’t completed the in- 
vestment, training and testing. 
But she still believes that a 
componentized operating sys- 
tem would be beneficial. Just 
“the thought of competition 
sometimes creates better 
products,” she said. 

Even if PC makers gain flexi- 
bility in swapping out a Mi- 
crosoft application with that of 
another vendor, they may 
“choose not to take it because 
of the support cost issue,” said 
Rob Enderle, an analyst at 


MOREONLINE 


For Computerworld’s coverage of Micro- 
soft’s legal issues, click to 
www.computerworld.com/mslegal 





Congress to amend the federal 
legislation with a tougher set 
of rules. 

Sen. Paul S. Sarbanes (D- 
Md.), chairman of the Senate 
Banking Committee, has sub- 
mitted a bill that would force 
financial services firms to give 
customers an opt-out option 
even when seeking to share 
their financial information 
with affiliated firms. 

Sarbanes’ bill, called the Fi- 
nancial Information Privacy 
Protection Act of 2001, would 
also require an opt-in option 
for consumers when compa- 
nies share some types of sensi- 
tive financial or medical infor- 
mation with either an affiliated 


| or unaffiliated third party. 


According to Patrick F. Sulli- 
van, vice president of privacy 


Cambridge, Mass.-based Giga 
Information Group Inc. “It will 
typically cost them more to 
support a nonintegrated offer- 
ing than an integrated offer- 
ing,” he said, noting that IT 
managers could therefore still 
be left with few options. 

Microsoft, for its part, insist- 
ed the decision won't affect its 
product design. 


Mettle to Settle? 


information 
Waltham, Mass.-based security 
provider Guardent Inc., an opt- 
in policy would be far more ex- 


and policy at 


pensive, not only because com- 
panies would have more infor- 
mation to protect, but also be- 
start 
building your marketing lists 


cause “you’ve got to 
all over again.” 

Moreover, the new legisla- 
tion doesn’t limit the ability of 
states to adopt their own, more 
stringent regulations. 

“The more you 
get from states, the more com- 
plex it is for business to try to 
comply,” Loewenthal said. D 


MOREONLINE 


For Con 
privacy issues 


www.computerworld.com/privacy 


variations 


puterworld's 
HICK t 


It’s also possible that the ap- 
peals 
prompt from rival 
vendors Micro- 
soft’s operating system design, 
said Hillard Sterling, an an- 
titrust attorney at Gordon & 
Glickson LLC in Chicago. “It’s 
going to take a long legal battle 
to apply these restrictions to 
XP applications,” he said. D 


court decision could 
lawsuits 


challenging 


Microsoft and the government are expected to make a third at- 
tempt at a settlement before the case returns to a lower court, as 
ordered by the U.S. Court of Appeals, for a new hearing on reme- 
dies and the tying issue. Possible settlement points: 


BREAKUP Microsoft is adamantly opposed to a breakup. 
States may still push for it, but a conduct remedy was dis- 
cussed in earlier settlement talks. The main problem with a 
conduct remedy, say critics, is the necessary ongoing gov- 


ernment oversight. 


PRICING The company could be required to provide uni- 
form terms for Windows operating system products to PC 


makers. 


APIs The government is likely to seek guarantees that 
application programming interfaces are made available to 
vendors and PC makers as soon as they are in use by 
Microsoft’s own software developers. 


START-UP PC makers may get flexibility in the applica- 
tions they can offer and the power to control start-up 


screens. 
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Uely Security 


O WONDER WE HAVE security problems. For decades, 
we've treated security as an afterthought, an add-on, a 
kludge. First we design the business system. Then we 
assemble the technology and build the applications 
and string the wires. And then — because it’s a check- 
off item we have to complete before the big bosses will sign off on 
the project — we throw in some security. 
That’s how we’ve done it for 40 years, since the days when IT sys- 


tem security meant adding a good lock on the 
mainframe room’s door. 

It’s still that way today. Now, instead of a lock, 
security means passwords and firewalls and 
utilities that sound the alarm when they detect 
unauthorized probing of ports or access to 
accounts. 

But security is still the last thing we cobble 
together and bolt on. And as a result, it’s usually 
the messiest, ugliest, most user-unfriendly part 
of our systems. 

Is it any surprise that for almost everyone 
else in corporate life, our cobbled-together, 
bolted-on security is first and foremost an in- 
convenience, an irritation, an annoyance? 

Permissions, virus filters, limited data access, 
digital certificates, encryption and piles of pass- 
words — they’re all pretty much the same to 
users. They’re a pain. They chew up valuable 
time. They get in the way. 

So what do most users do when faced with 
this in-their-face, time-and-effort-consuming 
security? They look for ways around it. 

They thumbtack lists of passwords to their 
cubicle walls. They leave their PCs on when 
they’re away so they won't have to log in again. 
They turn off filters, turn on scripting and swap 
unauthorized tricks and shortcuts for bypassing 
security. 

So, of course, our security prob- 
lems just keep getting worse. It’s 
not just crackers and spies and as- 
sorted bad guys who are finding 
ways around our security. It’s our 
users, too. 

Sure, they’re wrong to undercut 
our security measures. But it’s our 
own fault. 

As long as IT people treat securi- 
ty as an afterthought, we'll keep on 
building systems where ugly, inele- 
gant security gets in the way. And if 
it’s in the way, users will fight it, 
work around it, undercut it. 





FRANK HAYES, Computer- 
world’s senior news colum- 
nist, has covered IT for more 

than 20 years. Contact him at 


frank_hayes@computerworld.com. 


The best solution — the one we can’t afford, 


of course — would be to rebuild everything, our | 
entire IT infrastructure, applications, the works, 


with security designed and built into it down to 
the core. 

We'll need that, and maybe sooner rather 
than later. With supply chains and B2B and Web 
commerce, our systems are more exposed than 
ever. But rebuilding our world with single sign- 
on, highly secure databases, IP Version 6 net- 
works, smart-card authentication and the other 
technologies required will take time. Learning 
to use them effectively will take longer. Getting 
budget approval could take forever. 

But we don’t have to wait for that. We can 
start rethinking security today. And one good 
place to begin is to take some of the sting out of 
security for users. 

Maybe we can get rid of those tacked-up lists 
of passwords by cutting down the number of 
different passwords we assign each user. If we 
can’t do real single sign-on today, maybe we can 
whip up some scripts that let users type one 
password once, and let the machine do the rest 
of the work. 

Maybe we can adjust how PCs log on to net- 
works and applications when they start up, so 
users won't be so tempted to leave them run- 
ning unattended. 

Maybe we can cut down on unau- 
thorized shortcuts around security 
by building some secure tunnels 
that let users do what they need 
easily, without compromising secu- 
rity or breaking our rules. 

Yes, those are more security 
kludges. But at least they’re elegant 
kludges that make security a little 
less obnoxious and a little more 
convenient for users. 

And just maybe that will start IT 
down the path of treating security 
as something more than an after- 
thought. D 


| 
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USER TELLS IT pilot fish that 
Microsoft Word is adding extra 
text to her documents. Sure 
enough, a short document on 
her screen comes out of the 
printer with extra text each time. 
Reinstalling the software doesn't 
help. Fish checks the printer and 
discovers user is recycling paper 
that’s already been printed on 
one side - all bearing the same 
text. Solution: blank paper 


ENGINEER WANTS a particu- 
lar new application to be in- 
stalled on one of the company’s 
Windows NT 4.0 servers. We're 
about to upgrade to Windows 
2000 - is this software compli- 
ant? pilot fish asks. “Just be- 
cause you like 2000 doesn't 
mean we have to go to it,” engi- 
neer snarls. “Why can’t we use 
NT 5 or NT 6, or even spend the 
extra for NT 7? Be different,” he 
tells fish, “and stick with NT.” 


AFTER HOSPITAL upgrades 
one low-tech doctor from a ter- 
minal to a PC, IT pilot fish gets a 
call from his secretary asking for 
a larger terminal. “He needs it for 
his bulletin board,” she explains. 
Fish is curious - the hospital has 
no bulletin-board system, and 


: 


nl 
Dr. Pencil-and-Paper isn’t the 
type to set one up. An office visit 
clears it up: The doc’s PC isn’t 
even turned on, but his monitor 
is covered with Post-it Notes - 
and he’s run out of space. 


SIGN OF THE TIMES Laser 
printer at a nursing home gets a 
paper jam. Pilot fish discovers 
the problem right away: a stack 
of continuous-feed paper stuck 
in the roller slot. “This printer 
uses single sheets,” fish tells 
user. “Yes, | know,” she says, 
“but | was printing a banner.” 


PILOT FISH is trying to upgrade 
the e-mail system. Users are 
supposed to !og off by noon 
Friday, but at 2 p.m., some are 
still logged on. “No, I've been 
out of my e-mail since noon,” 
swears one user. OK, says fish, 
maybe the system retained your 
connection. Can you reboot? 
“Sure,” says user, “just let me 
finish sending this e-mail.” 


Send e-mail my way: sharky@ 
computerworld.com. You get 
a sharp Shark shirt if your true 
tale of IT life sees print - or if it 
shows up in the daily feed at 
computerworld.com/sharky. 
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Gee, Richatd, you'll hava 
to show me where on 
the toolbar you found an 
icon labeled “Overkill”. 


©Rich Tennant, www.theSthwave.com 





More than 280 million individuals. More than a 
billion lines of data. More than a trillion data 


elements. We're talking about a record number 





of records — even for the U.S. Census Bureau. 
But it’s not just the counting that’s important in 
Census 2000. It’s also the accuracy. That’s what 
we the people count on most. So we can know 
with certainty where to allocate our housing. 
SaaS eO Ea LLCS Ae LL 
, |. or forfeit our Congressional seats. Who makes 
up our nation’s demographics. To review the 
accuracy of records from Census 2000. the U.S. 


“a Censtis Bureau chose SAS. Why? We'll let our 


record speak for itself. Call 800-727-0025 or 
stop by www.sas.com census. To learn more 


about the U.S. Census. visit Www.census. gov. 


The Power to Know: C Yoh 


e-Intelligence 


INDUSTRY POSEURS EXPOSED. 


CODERNAUTS DISCOVER 


WEB SERVICES THAT ACTUALLY WORK. 


* IBM SOFTWARE WITNESSED ENABLING WEB SERVICES. * 


SILICON VALLEY, CA-— 
\ landmark discovery was 
announced that may well 
change the course of business. 
Web services, as enabled by 
IBM software and seen in 
action, provide companies with 
new ways to make money with- 
out spending it. 
\ lot of hype surrounds 
Web services, which contain 
incredible promise. Yet, of all 
the people talking about Web 
services, IBM has the software 
and experience to deliver on 


that promise today. 


TWO PROGRAMMERS FROM A PARALLEL UNIVERSE FOUND THAT IBM SOFTWARE CAN 
HELP COMPANIES UTILIZE WEB SERVICES TODAY, TO INCREASE THEIR REVENUES. 


IBM SOFTWARE SUPPORTS OPEN WEB SERVICE 
STANDARDS: UDDI, SOAP, WSDL, XML 


Web services utilize industry stan- 
dards to deploy and integrate applications 


across the Internet, intranets and extranets. 


IT’S A DIFFERENT KIND 
OF WORLD. YOU NEED A 
DIFFERENT KIND OF SOFTWARE. 


Web services make it easy to adapt 


systems to changing business needs. Flexible 


applications using Web services can now be 


implemented by the IBM software portfolio: 
WebSphere, Lotus; DB2°and Tivoli: 


@ business software 


With their operations enabled by Web 
services, IT managers can now let others 
access and use their company’s 
business processes as easily as 
people download Web pages. 
The benefits: low cost of devel- 
opment and wider deployment 
of applications, increasing 
competitive advantage. 

For instance, a moving 
company facing the problem of keeping 
its trucks full during the entire cycle 
of the transport, as in return trips during 
cross-country moves, can now utilize 
Web services enabled by IBM software 
to seamlessly locate, book and manage 


new customers. 


CODERNAUTS LEARNED MORE ONLINE. 


Another case is a travel, leisure 
and entertainment company. The 
challenge? Link hundreds of applica- 
tions together to form a one-stop 
Web portal that provides relevant 
information and offerings to cus- 
tomers. The result? Expanded 
services at dramatically reduced 
costs. 


Presently, there are a number 


4.48 
as ways to 


enable Web oe 


WEB SERVICES HELP 
services. APPLICATIONS COMMUNICATE 
MORE EFFECTIVELY 
Yet IBM 


is a proven provider who is delivering 


of software 
vendors trying 
to sell their 
proprietary 


technologies 


a truly open e-business software 
environment to exploit your existing 
applications. Today. 

2 Software that enables Web 
services, known as IBM soft- 
ware, was discovered by two 
programmers from a parallel 
universe. “We came looking for 
better software.” said one. “And 
this is definitely it? For case 
studies, white papers and an 

announcement highlights video, visit us at 


ibm.com/webservices/today 
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